name: Snyk Docker Vulnerability Scan

on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
  schedule:
    - cron: '39 13 * * 4'

permissions:
  contents: read

jobs:
  snyk:
    permissions:
      contents: read
      security-events: write
      actions: read
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Build a Docker image
      run: docker build -t burnett01/rsync-deployments .
    - name: Run Snyk to check Docker image for vulnerabilities
      continue-on-error: true
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: burnett01/rsync-deployments
        args: --file=Dockerfile
    - name: Output sarif file
      run: cat snyk.sarif
    - name: fix security-severity "null" to "0" for valid sarif format
      run: |
        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
    - name: Upload result to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@v4
      with:
        sarif_file: snyk.sarif