A real-world workflow for using Docker, Snyk and GitHub to build, secure and publish container images.
- Build images on push, pull request and on a recurring schedule
- Cache the layers between runs for faster builds
- Push images to GitHub Container Registry depending on the nature of the ref
- Monitor the different tags for vulnerabilities with Snyk
- Fail a pull request check if the PR introduces a high-severity vulnerability
The workflow is reasonably complex, but it's also very powerful.
The workflow will build several different images, namely:
- Version tags, like
v0.1.0 edge, built from the default branchnightly, built once per day from the default branch
Each of these are pushed to GitHub Container Registry:
They are also monitored for vulnerabilities in Snyk:
By monitoring them in Snyk we can see the current vulnerabilities, but Snyk will also send alerts as new vulnerabilities are announced for images, even if they are not rebuilt for a period of time.
The workflow will fail the pull request check if the changes introduce high-severity vulnerabilities into the image. You can see an example of this in action in #1.
The latest image vulnerabilities are also uploaded to GitHub Code Scanning, so we can see a list of issues directly in GitHub.
We are also adding additional context to the output using the Secure Code Warrior action.
Inspired by the example workflow from docker/build-push-action.