Skip to content

Security Scan

Security Scan #636

Workflow file for this run

name: Security Scan
on:
push:
branches:
- master
- release/*
schedule:
- cron: "23 18 * * *"
workflow_dispatch:
jobs:
scan-code:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Security Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true
with:
args: --fail-on=upgradable
--severity-threshold=high
--all-projects
--exclude=tests,docs
--sarif-file-output=snyk-code.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-image:
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
remove-dotnet: "true"
remove-haskell: "true"
remove-android: "true"
root-reserve-mb: "30720"
- uses: actions/checkout@v3
- name: Build Docker Image
run: |
DOCKER_BUILDKIT=1 docker build . \
--build-arg RUNTIMES=all \
-t $MLSERVER_IMAGE
env:
MLSERVER_IMAGE: seldonio/mlserver:${{ github.sha }}
- name: Scan Docker Image
uses: snyk/actions/docker@master
continue-on-error: true
with:
image: seldonio/mlserver:${{ github.sha }}
args: --fail-on=upgradable
--severity-threshold=high
--app-vulns
--file=Dockerfile
--policy-path=.snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif