What will be covered in this blog?
-> Building secure software is like building a sturdy house - you wouldn't wait until it's finished to check for termites, right? That's where Dockerfile scanning comes in. It's like checking your construction plans for weak spots before hammering any nails.
-> Think of Snyk and CodeQL as your security inspectors. They scan your Dockerfile, a blueprint for your container image, and point out any hidden vulnerabilities, like rickety doors or leaky windows.
-> By integrating this scanning into your GitHub Actions, like an automated construction manager, you catch these issues early, even before building the image. This saves you time, money, and headaches later on, because fixing a broken door after the house is built is much harder than preventing it in the first place!
-> This is what DevSecOps is all about - baking security into every step of building software, not just the final inspection. By automating Dockerfile scanning with Snyk and CodeQL, you build stronger, more secure software with confidence and peace of mind, just like a well-built house that can withstand any storm.
-> So in this setup what we do we are using snyk to scan Dockerfile and then outputting the result in SARIF format to upload to GitHub code scanning
-> SARIF (Static Analysis Results Interchange Format) is an OASIS Standard that defines an output file format. The SARIF standard is used to streamline how static analysis tools share their results.
(1). Go to 'Snyk,' create your account, then navigate to the Dashboard. In the left-side menu bar, click on your account name, and select 'Account Settings' from the dropdown menu.
(2). Once inside, proceed to the 'General' tab. You will find the 'Generate Auth Token' option; click on it, then copy the token. Save it in Notepad. In my case, I have already created that token.
(3). Next, navigate to your GitHub account and create a repository with your desired name. Create a 'Dockerfile'; for demonstration, you can use the following example Dockerfile.
# Use an official Node.js runtime as a parent image
FROM node:14
# Set the working directory in the container
WORKDIR /usr/src/app
# Copy package.json and package-lock.json to the working directory
COPY package*.json ./
# Install app dependencies
RUN npm install
# Copy the rest of the application code to the working directory
COPY . .
# Expose the port the app runs on
EXPOSE 3000
# Define the command to run the application
CMD ["npm", "start"]
save this file
(4). Proceed to 'Settings' → 'Settings and variables' → 'Actions.' Click on 'New Repository Secret,' provide the name as 'SNYK_TOKEN,' paste the token, and save it.
(5). Navigate to the 'Actions' tab, search for 'Snyk,' and select 'Snyk Container.'
(6). It will generate a '.yaml' file. You can customize this script based on your requirements, but for this demo, it's okay. Now, you can 'Commit' the changes.
(7). Navigate to the 'Actions' tab and click on the pipeline; your pipeline will be triggered automatically.
(8). Now you can see that my job has run successfully.
(9). Now, go to the 'Snyk Dashboard.' Note that when creating an account on Snyk, you can connect it with your 'GitHub' account for access to your repository. Alternatively, you can go to the 'Projects' option and click on 'Add Project.'
(10). Select the 'GitHub' option, then choose your repository and click on 'Add selected repos.'
(11). Here, you will find your project report and the scan report for the 'Dockerfile.'
(12). Now, return to our 'GitHub Account,' navigate to 'Security Tab,' and click on 'Code Scanning.'
(13). Click on 'Code Scanning,' and you will find a detailed report.
(14). you can clone My repo also
.
Top comments (0)