Skip to content

[Snyk] Security upgrade express from 4.17.1 to 4.21.1 #135

[Snyk] Security upgrade express from 4.17.1 to 4.21.1

[Snyk] Security upgrade express from 4.17.1 to 4.21.1 #135

name: Build, test and publish
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=purpledobie/snayjk
VERSION=latest
TAGS="${DOCKER_IMAGE}:${VERSION}"
echo ::set-output name=tag::${TAGS}
if [ "${{ github.event_name }}" != "pull_request" ]; then
TAGS="$TAGS,${DOCKER_IMAGE}:sha-${GITHUB_SHA::8}"
fi
if [[ $VERSION =~ ^v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
MINOR=${VERSION%.*}
MAJOR=${MINOR%.*}
TAGS="$TAGS,${DOCKER_IMAGE}:${MINOR},${DOCKER_IMAGE}:${MAJOR},${DOCKER_IMAGE}:latest"
fi
echo ::set-output name=version::${VERSION}
echo ::set-output name=tags::${TAGS}
echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to container registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build
uses: docker/build-push-action@v2
with:
load: true
tags: ${{ steps.prep.outputs.tags }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
labels: |
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
org.opencontainers.image.version=${{ steps.prep.outputs.version }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.licenses=${{ github.event.repository.license.name }}
- name: Monitor published image for vulnerabilities with Snyk
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ${{ steps.prep.outputs.tag }}
args: --file=Dockerfile --project-name=${{ steps.prep.outputs.tag }} --policy-path=.snyk
if: github.event_name != 'pull_request'
- name: Test the image with Snyk for high-severity vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ steps.prep.outputs.tag }}
args: --file=Dockerfile --severity-threshold=high --policy-path=.snyk
if: github.event_name == 'pull_request'
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyk.sarif
if: github.event_name == 'pull_request'
# - name: Output a SARIF file from Snyk
# continue-on-error: true
# uses: snyk/actions/docker@master
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# sarif: true
# image: ${{ steps.prep.outputs.tag }}
# args: --file=Dockerfile
# if: github.ref == 'refs/heads/main'
- name: Push
uses: docker/build-push-action@v2
with:
push: true
tags: ${{ steps.prep.outputs.tags }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
labels: |
org.opencontainers.image.created=${{ steps.prep.outputs.created }}
org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
org.opencontainers.image.version=${{ steps.prep.outputs.version }}
org.opencontainers.image.revision=${{ github.sha }}
if: github.event_name != 'pull_request'