Skip to content

Commit ff8be44

Browse files
authored
Combine scan jobs for arm64 and amd64 debian SDK images (#397)
To avoid pulling the snyk image too often due to a very large matrix, we generate a matrix without architecure, and run the scan twice in each job, once for amd64 and once for arm64. Fixes #396 (comment)
1 parent 9de4e1c commit ff8be44

File tree

1 file changed

+26
-6
lines changed

1 file changed

+26
-6
lines changed

.github/workflows/snyk-scan.yml

Lines changed: 26 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -131,8 +131,11 @@ jobs:
131131
- uses: actions/checkout@master
132132
- name: Define Matrix
133133
id: define-matrix
134+
# To avoid pulling the snyk image too often due to a very large matrix,
135+
# we generate a matrix without architecure, and run the scan twice
136+
# in each job, once for amd64 and once for arm64.
134137
run: |
135-
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
138+
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py --no-arch) >> "$GITHUB_OUTPUT"
136139
137140
debian-sdk:
138141
name: Debian SDK images
@@ -152,23 +155,40 @@ jobs:
152155
- name: Set version
153156
run: |
154157
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
155-
- name: Set image name
158+
- name: Set image name - amd64
156159
run: |
157-
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV
158-
- name: Snyk scan
160+
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-amd64" >> $GITHUB_ENV
161+
- name: Snyk scan - amd64
159162
continue-on-error: true
160163
uses: snyk/actions/docker@master
161164
env:
162165
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
163166
with:
164167
image: ${{ env.IMAGE_NAME }}
165-
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }}
166-
- name: Filter Sarif File
168+
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/amd64
169+
- name: Filter Sarif File - amd64
167170
run: python ./.github/scripts/filter-sarif.py
168171
- name: Upload result to GitHub Code Scanning
169172
uses: github/codeql-action/upload-sarif@v3
170173
with:
171174
sarif_file: out.sarif
175+
- name: Set image name - arm64
176+
run: |
177+
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-arm64" >> $GITHUB_ENV
178+
- name: Snyk scan - arm64
179+
continue-on-error: true
180+
uses: snyk/actions/docker@master
181+
env:
182+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
183+
with:
184+
image: ${{ env.IMAGE_NAME }}
185+
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/arm64
186+
- name: Filter Sarif File - arm64
187+
run: python ./.github/scripts/filter-sarif.py
188+
- name: Upload result to GitHub Code Scanning - arm64
189+
uses: github/codeql-action/upload-sarif@v3
190+
with:
191+
sarif_file: out.sarif
172192

173193
ubi-sdk:
174194
name: UBI SDK images

0 commit comments

Comments
 (0)