.github/workflows/scan.yml

name: Scan workflow

on:
  workflow_call:
    secrets:
      DOCKER_TOKEN:
        required: true
      IMAGE_NAME:
        required: true

jobs:
  reusable_workflow_job:
    runs-on: ubuntu-latest
    name: Scan
    steps:
      - uses: actions/checkout@v2
      - run: npm ci
      - uses: docker/build-push-action@v2
        with:
          push: false
          load: true
          tags: image:tag
      - run: |-
          sudo rm -rf docker-bench-security
          git clone https://github.com/docker/docker-bench-security.git
          cd docker-bench-security
          cat > output.txt
          sudo sh docker-bench-security.sh -i image:tag -p -l output.txt
          cd ..
      - uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
        continue-on-error: false
        env:
          SNYK_TOKEN: ${{ secrets.DOCKER_TOKEN }}
          IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
        with:
          image: image:tag
          args: --severity-threshold=medium --file=Dockerfile