From bcb9ada0be14bfe2de2b95e8dad6bcdc5b0b9225 Mon Sep 17 00:00:00 2001
From: Leigh-Anne Mathieson <leigh-anne@snowplowanalytics.com>
Date: Tue, 24 Jan 2023 15:48:25 +0000
Subject: [PATCH] Scan Docker images with Snyk container monitor in ci.yml
 (close #1191)

Whenever we release RDB loader, we run a Snyk scan to check for security vulnerabilites.

Previously, we had a separate Github action for this, `snyk.yml` which just ran `snyk monitor` and
did not scan the docker images.

We are moving over to using `snyk container monitor` because we want to
- be able to keep track of vulnerabilities in the docker images we create on release without manually
adding them in the Snyk UI
- continue scanning our java/scala jar files

Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote
registry only, and that is why here we additionally add a step to create local Docker images for the
Snyk scan.
---
 .github/workflows/ci.yml    | 12 ++++++++++++
 .github/workflows/snyk.yml  | 20 --------------------
 project/BuildSettings.scala |  1 -
 3 files changed, 12 insertions(+), 21 deletions(-)
 delete mode 100644 .github/workflows/snyk.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 75f9be717..dfa530560 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -154,6 +154,18 @@ jobs:
           platforms: linux/amd64,linux/arm64/v8
           tags: ${{ steps.distroless-meta.outputs.tags }}
           push: true
+      - name: Build local distroless image, which is needed to run Snyk
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        with:
+          image: "${{ steps.packageName.outputs.package_name }}:${{ github.ref_name }}-distroless"
+          args: "--app-vulns --org=data-processing-new"
+          command: monitor
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   create_release:
     needs: test
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
deleted file mode 100644
index a773bb1e2..000000000
--- a/.github/workflows/snyk.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Snyk
-
-on:
-  push:
-    branches: [ master ]
-
-jobs:
-  security:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: Run Snyk to check for vulnerabilities
-      uses: snyk/actions/scala@master
-      with:
-        command: monitor
-        args: --prune-repeated-subdependencies --project-name=snowplow-rdb-loader
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/project/BuildSettings.scala b/project/BuildSettings.scala
index 99d83c1fd..f56aab58c 100644
--- a/project/BuildSettings.scala
+++ b/project/BuildSettings.scala
@@ -183,7 +183,6 @@ object BuildSettings {
     dockerBaseImage := "gcr.io/distroless/java11-debian11:nonroot",
     Docker / daemonUser := "nonroot",
     Docker / daemonGroup := "nonroot",
-    dockerRepository := Some("snowplow"),
     Docker / daemonUserUid := None,
     Docker / defaultLinuxInstallLocation := "/home/snowplow",
     dockerEntrypoint := Seq("java", "-jar",s"/home/snowplow/lib/${(packageJavaLauncherJar / artifactPath).value.getName}"),