argo-cd/hack/snyk-container-tests.sh

#!/usr/bin/env bash

set -e
set -o pipefail

images=$(grep 'image: ' manifests/install.yaml manifests/namespace-install.yaml manifests/ha/install.yaml | sed 's/.*image: //' | sort | uniq)

failed=false
while IFS= read -r image; do
  extra_args=()
  if echo "$image" | grep "argocd"; then
    # Pass the file arg only for the Argo CD image. The file arg also gives us access to sarif output.
    extra_args+=("--file=Dockerfile" "--sarif-file-output=/tmp/argocd-image.sarif")
  fi

  set -x
  if ! snyk container test "$image" --org=argoproj --severity-threshold=high "${extra_args[@]}"; then
    failed=true
  fi
  set +x

done <<< "$images"

if [ "$failed" == "true" ]; then
  exit 1
fi
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev> 2022-07-27 21:15:00 +00:00			`#!/usr/bin/env bash`

			`set -e`
			`set -o pipefail`

			`images=$(grep 'image: ' manifests/install.yaml manifests/namespace-install.yaml manifests/ha/install.yaml \| sed 's/.*image: //' \| sort \| uniq)`

			`failed=false`
			`while IFS= read -r image; do`
fix: Address shellcheck detected shell warnings (#22686) Signed-off-by: Oliver Gondža <ogondza@gmail.com> 2025-07-18 11:38:27 +00:00			`extra_args=()`
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev> 2022-07-27 21:15:00 +00:00			`if echo "$image" \| grep "argocd"; then`
			`# Pass the file arg only for the Argo CD image. The file arg also gives us access to sarif output.`
fix: Address shellcheck detected shell warnings (#22686) Signed-off-by: Oliver Gondža <ogondza@gmail.com> 2025-07-18 11:38:27 +00:00			`extra_args+=("--file=Dockerfile" "--sarif-file-output=/tmp/argocd-image.sarif")`
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev> 2022-07-27 21:15:00 +00:00			`fi`

			`set -x`
fix: Address shellcheck detected shell warnings (#22686) Signed-off-by: Oliver Gondža <ogondza@gmail.com> 2025-07-18 11:38:27 +00:00			`if ! snyk container test "$image" --org=argoproj --severity-threshold=high "${extra_args[@]}"; then`
chore: add Snyk scans to docs (#9856) * chore: generate Snyk reports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev> * update scans Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * use latest ignore rules Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports Signed-off-by: CI <michael@crenshaw.dev> * update reports, add link to latest, push to master instead of stable Signed-off-by: CI <michael@crenshaw.dev> * fix for double-digit patch versions Signed-off-by: CI <michael@crenshaw.dev> * clean up testing changes Signed-off-by: CI <michael@crenshaw.dev> 2022-07-27 21:15:00 +00:00			`failed=true`
			`fi`
			`set +x`

			`done <<< "$images"`

			`if [ "$failed" == "true" ]; then`
			`exit 1`
			`fi`