@@ -159,71 +159,53 @@ jobs:
159159 - name : Checkout
160160 uses : actions/checkout@v4
161161
162- - name : Check for Snyk token
163- id : check-snyk
164- env :
165- SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
162+ - name : Prepare image
163+ if : ${{ secrets.SNYK_TOKEN != '' }}
166164 run : |
167- if [ -n "$SNYK_TOKEN" ]; then
168- echo "snyk_available=true" >> $GITHUB_OUTPUT
169- fi
170-
171- name : Build image for Snyk scanning (for tags)
172- if : ${{ steps.check-snyk.outputs.snyk_available == 'true' && (github.event_name == 'push' || github.event_name == 'workflow_run') && needs.extract-version.outputs.image-ref != '' }}
173- run : |
174- docker build -t ${{ needs.extract-version.outputs.image-ref }} .
165+ if [ "${{ github.event_name }}" = "pull_request" ]; then IMAGE_REF=devcoder-test; else IMAGE_REF="${{ needs.extract-version.outputs.image-ref }}"; fi
166+ if [ -z "$IMAGE_REF" ]; then echo "Missing image reference" >&2; exit 1; fi
167+ echo "IMAGE_REF=$IMAGE_REF" >> $GITHUB_ENV
168+ docker build -t "$IMAGE_REF" .
175169
176170name : Run Snyk to check Docker image for vulnerabilities
177- if : steps.check-snyk.outputs.snyk_available == 'true'
171+ if : ${{ secrets.SNYK_TOKEN != '' }}
178172 continue-on-error : true
179173 uses : snyk/actions/docker@master
180174 env :
181175 SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
182176 with :
183- image : ${{ needs.extract-version.outputs.image-ref }}
177+ image : ${{ env.IMAGE_REF }}
184178 args : --severity-threshold=${{ github.event.inputs.severity || 'medium' }} --file=Dockerfile --sarif-file-output=snyk-raw.sarif
185179
186180 - name : Normalize Snyk SARIF categories
187- if : ${{ always() && steps.check-snyk.outputs.snyk_available == 'true ' && hashFiles('snyk-raw.sarif') != '' }}
181+ if : ${{ always() && secrets.SNYK_TOKEN != ' ' && hashFiles('snyk-raw.sarif') != '' }}
188182 env :
189- SCAN_ENV : ${{ github.event_name == 'pull_request' && 'pr' || 'prod' }}
190- SCAN_TAG : ${{ needs.extract-version.outputs.version }}
183+ SARIF_PREFIX : snyk-${{ github.event_name == 'pull_request' && 'pr' || 'prod' }}-${{ needs.extract-version.outputs.version }}-${{ github.run_id }}
191184 run : |
192- export SARIF_PREFIX="${SCAN_ENV}-${SCAN_TAG}-$(date -u +'%Y-%m-%d-%H-%M')"
193185 python - <<'PY'
194- import json
195- import os
196- import re
197-
198- src_path = 'snyk-raw.sarif'
199- dst_path = 'snyk.sarif'
200-
201- with open(src_path, 'r', encoding='utf-8') as f:
202- sarif = json.load(f)
203-
186+ import json, os
187+ sarif = json.load(open('snyk-raw.sarif', 'r', encoding='utf-8'))
204188 runs = sarif.get('runs')
205- if not isinstance(runs, list):
206- raise SystemExit(0)
207-
208- prefix = os.getenv('SARIF_PREFIX') or os.getenv('GITHUB_RUN_ID', 'run')
209-
210- def sanitize(value: str) -> str:
211- value = re.sub(r'[^A-Za-z0-9_.-]+', '-', str(value)).strip('-')
212- return (value[:80] or 'snyk')
213-
214- for i, run in enumerate(runs):
215- run.setdefault('automationDetails', {})
216- run['automationDetails']['id'] = f"{sanitize(prefix)}-{i}"
217-
218- with open(dst_path, 'w', encoding='utf-8') as f:
219- json.dump(sarif, f)
189+ if not isinstance(runs, list) or not runs: raise SystemExit(0)
190+ merged = runs[0]
191+ merged.setdefault('results', [])
192+ for run in runs[1:]:
193+ results = run.get('results')
194+ if isinstance(results, list): merged['results'].extend(results)
195+ for res in merged['results']:
196+ if isinstance(res, dict): res.pop('ruleIndex', None)
197+ merged.setdefault('automationDetails', {})
198+ merged['automationDetails']['id'] = os.getenv('SARIF_PREFIX', 'snyk')
199+ sarif['runs'] = [merged]
200+ json.dump(sarif, open('snyk.sarif', 'w', encoding='utf-8'))
220201 PY
221202
222203name : Upload Snyk results to GitHub Security tab
223- if : ${{ always() && steps.check-snyk.outputs.snyk_available == 'true ' && hashFiles('snyk.sarif') != '' }}
204+ if : ${{ always() && secrets.SNYK_TOKEN != ' ' && hashFiles('snyk.sarif') != '' }}
224205 uses : github/codeql-action/upload-sarif@v4
225206 with :
226207 sarif_file : snyk.sarif
208+ category : snyk-${{ github.event_name == 'pull_request' && 'pr' || 'prod' }}-${{ needs.extract-version.outputs.version }}-${{ github.run_id }}
227209
228210 dockle-scan :
229211 runs-on : ubuntu-latest
0 commit comments