Image vulnerability scan with Snyk

[kowh-ai]

Introduces an automated security scanning workflow for CKAN Docker images using Snyk. The workflow runs weekly and can be triggered manually when needed. It scans multiple CKAN image versions for high severity vulnerabilities, generating detailed reports and uploading to the Snyk Web UI

[amercader]

Did you use a ckan org token? I don't see any new project in the dashboard. Would be good to run it once from the PR to see how things are created on the Snyk side.

Also AFAICT this will scan already published images (i.e. already pushed to the Docker Hub), can we configure so it analyzes the builds of the current branch in the PR, e.g. build the images and scan them.

The Docker Hub scanning is also done by Docker Scout, so that's less of a priority.

[kowh-ai]

Thanks @amercader for looking at this - I used a token from my personal org (kowh-ai) to not pollute the ckan org in Snyk. When run it does create the projects in the Snyk UI. I can update the token to use a CKAN org
Yes, it scans the published images in Docker Hub specified in the workflow (e.g., matrix:docker-image). I would have thought these images are our primary concern since the reported vulnerabilities in both base and derived images tend to change over time—usually increasing in severity and number. Having a report automatically created and emailed weekly ensures team members actually (or hopefully) review the security status, rather than relying on someone remembering to proactively log into Docker Hub to check for vulnerabilities.

Also I’ve just checked the difference between what Snyk reported vs Docker Scout on the recent CKAN 2.11 base image and they are a bit different.

Docker Scout: Med=1, Low=75
Snyk: Crit=1, Med=1, Low=94