Skip to content

Removing file update to check if it is the cause of gits anger #8306

Removing file update to check if it is the cause of gits anger

Removing file update to check if it is the cause of gits anger #8306

Workflow file for this run

name: . 🕵🏼 Security Scan
on:
push:
branches:
- '**'
tags-ignore:
- '**'
env:
SNYK_TOKEN: ${{ secrets.CAOS_SNYK_TOKEN }}
DOCKER_HUB_ID: ${{ secrets.OHAI_DOCKER_HUB_ID }}
DOCKER_HUB_PASSWORD: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
jobs:
scan-deps:
name: Run security checks Snyk
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKER_HUB_ID }}
password: ${{ env.DOCKER_HUB_PASSWORD }}
- name: Install go deps
run: make ci/deps
- name: Scan code for vulnerabilities with Snyk
run: make ci/snyk-test
scan-container:
name: Run security checks for container agent's binaries (infra, ctl and service)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
version: v0.9.1
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKER_HUB_ID }}
password: ${{ env.DOCKER_HUB_PASSWORD }}
- name: Build agent binaries
run: make ci/build TAG=DEV_CI
# don't use buildx so the image gets added to the docker local registry
- name: Build container agent (amd64)
run: make -C build/container/ build/base-amd64 DOCKER_BUILD_TAG_PREFIX=pr USE_BUILDX=false
- name: Scan the created container image
uses: aquasecurity/trivy-action@master
with:
image-ref: "newrelic/infrastructure:pr-amd64"
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: "HIGH,CRITICAL"
skip-dirs: "/var"