chore: Add snyk docker scanning feature

build_all.sh

@@ -16,6 +16,8 @@ set -o pipefail
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
 
 for ver in ${supported_versions}
 do

build_latest.sh

@@ -21,6 +21,9 @@ version="9"
 
 # shellcheck source=common_functions.sh
 source ./common_functions.sh
+# shellcheck source=snyk.sh
+source ./snyk.sh
+
 # shellcheck source=dockerfile_functions.sh
 source ./dockerfile_functions.sh
 
@@ -43,25 +46,37 @@ function build_image() {
 	build=$1; shift;
 	btype=$1; shift;
 
-	tags=""
-	for tag in "$@"
-	do
-		tags="${tags} -t ${repo}:${tag}"
-		echo "docker push ${repo}:${tag}" >> "${push_cmdfile}"
-	done
+	local tags=("${@[@]}") # copy arguments to local array
+	for i in "${tags[@]}"
+  do
+		echo "docker push ${repo}:${tags[$i]}" >> "${push_cmdfile}"
+  done
 
+  printf -v expanded_tags "-t ${repo}:%s " "${tags[@]}" # concatenate to single strin : -t repo:tag -t repo:tag2
+  expanded_tags=${expanded_tags%?} # remove trailing space
 	dockerfile="Dockerfile.${vm}.${build}.${btype}"
 
 	echo "#####################################################"
-	echo "INFO: docker build --no-cache ${tags} -f ${dockerfile} ."
+	echo "INFO: docker build --no-cache ${expanded_tags} -f ${dockerfile} ."
 	echo "#####################################################"
 	# shellcheck disable=SC2086 # ignoring ${tags} due to whitespace problem
-	if ! docker build --pull --no-cache ${tags} -f "${dockerfile}" . ; then
+	if ! docker build --pull --no-cache ${expanded_tags} -f "${dockerfile}" . ; then
 		echo "#############################################"
 		echo
-		echo "ERROR: Docker build of image: ${tags} from ${dockerfile} failed."
+		echo "ERROR: Docker build of image: ${expanded_tags} from ${dockerfile} failed."
 		echo
 		echo "#############################################"
+	else
+	  if ((SNYK_ENABLED)); then
+	    echo "#####################################################"
+	    echo "        Scanning with snyk for vulnerabilities       "
+	    echo "#####################################################"
+	    	for i in "${tags[@]}"
+        do
+          printf "...scanning %s" "${tags[$i]}"
+	        snyk test --docker "${tags[$i]}" --file=="${dockerfile}"
+        done
+	  fi
 	fi
 }
 

snyk.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+if [ -z "${SNYK_AUTH_TOKEN}" ];then
+  printf "Snyk authentication token not set, skipping snyk analysis"
+  return
+fi
+set -o pipefail
+export SNYK_ENABLED=0
+if test -f "$HOME/.nvm/nvm.sh"; then
+  echo "nvm found"
+else
+  echo "No nvm on machine, snyk check will be skipped"
+  exit 0
+fi
+
+# shellcheck disable=SC1090
+source "$HOME/.nvm/nvm.sh"
+
+echo "Installing node..."
+nvm install node
+
+echo "Installing snyk.."
+npm install -g snyk
+
+echo "Snyk version: $(snyk -v)"
+
+export SNYK_ENABLED=1
+printf "Snyk installed succesfully\n"
+printf "Authenticating snyk\n"
+
+snyk auth "${SNYK_AUTH_TOKEN}"
+
+