Pass build secrets to Snyk

ministryofjustice · Mar 7, 2024 · 1c2121f · 1c2121f
1 parent 867207f
commit 1c2121f
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
@@ -46,8 +46,12 @@ jobs:
         # Build the docker images for testing
       - name: Container monitor ~ build FPM & Nginx Docker images
         run: |
-          docker image build -t justice-fpm:snyk --target build-fpm .
+          docker image build --build-arg COMPOSER_USER="$COMPOSER_USER" --build-arg COMPOSER_PASS="$COMPOSER_PASS" -t justice-fpm:snyk --target build-fpm .
           docker image build -t justice-nginx:snyk --target build-nginx .
+        env:
+          COMPOSER_USER: ${{ secrets.COMPOSER_USER }}
+          COMPOSER_PASS: ${{ secrets.COMPOSER_PASS }}
+
         # Runs Snyk Container (Container and SCA) analysis.
       - name: Container monitor ~ analyse
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -30,7 +30,7 @@ USER 82
 FROM base-fpm AS build-fpm-composer
 
 ARG COMPOSER_USER
-ENV COMPOSER_USER $COMPOSER_USER
+ARG COMPOSER_PASS
 
 WORKDIR /var/www/html
 
@@ -40,7 +40,6 @@ COPY ./bin/composer-auth.sh /var/www/html/composer-auth.sh
 RUN chmod +x /var/www/html/composer-auth.sh
 RUN /var/www/html/composer-auth.sh
 
-
 # non-root
 USER 82
 
@@ -49,7 +48,7 @@ RUN composer install --no-dev --no-scripts --no-autoloader
 
 COPY . .
 RUN composer install --no-dev
-RUN composer dump-autoload -o
+RUN composer dump-autoload -o && rm -f auth.json
 
 ARG regex_files='\(htm\|html\|js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|webmanifest\)'
 ARG regex_path='\(app\/themes\/clarity\/error\-pages\|app\/mu\-plugins\|app\/plugins\|wp\)'