[CONFIG] Docker: snyk actions splitted

Gonzalo Diaz · Gonzalo Diaz · commit 62700eb0541d · 2025-07-30T17:38:43.000-04:00
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -110,7 +110,7 @@ jobs:
         run: |
           docker run --rm ${{ env.IMAGE_NAME }}:test make test
 
-  security:
+  snyk-image:
     name: "Snyk Container"
     runs-on: ubuntu-24.04
     needs: build
@@ -141,6 +141,38 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+
+      # yamllint disable rule:line-length
+      # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
+      - name: Replace security-severity undefined for license-related findings
+        run: |
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+      # yamllint enable rule:line-length
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'snyk.sarif'
+
+  snyk-docker:
+    name: "Snyk Docker"
+    runs-on: ubuntu-24.04
+    needs: build
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #
+      - name: Run Snyk to check Docker image for vulnerabilities
+        # Snyk can be used to break the build when it detects vulnerabilities.
+        # In this case we want to upload the issues to GitHub Code Scanning
+        continue-on-error: true
+        uses: snyk/actions/docker@master
+        env:
+          # yamllint disable rule:line-length
+          # In order to use the Snyk Action you will need to have a Snyk API token.
+          # See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
+          # or you can sign up for free at https://snyk.io/login
+          # yamllint enable rule:line-length
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
           args: --file=Dockerfile
       # yamllint disable rule:line-length
       # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
@@ -153,6 +185,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'snyk.sarif'
+
   scan:
     name: "Trivy"
     runs-on: ubuntu-24.04
