fix: resolve Snyk SNYK-CBI-0014 in build workflow#1112
Open
anurag-atlan wants to merge 1 commit intomainfrom
Open
fix: resolve Snyk SNYK-CBI-0014 in build workflow#1112anurag-atlan wants to merge 1 commit intomainfrom
anurag-atlan wants to merge 1 commit intomainfrom
Conversation
anurag-atlan
requested review from
OnkarVO7,
cmgrote,
louisnow and
stefan-atlan
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
anurag-atlan
force-pushed
the
fix/snyk-args-parsing
branch
from
f94ef00 to
4edf8f8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pre-pulls the app image from GHCR before the Snyk container scan step to fix
SNYK-CBI-0014/404 Not Founderrors.Root cause
The Snyk Docker action (
snyk/actions/docker) runs inside its own container (snyk/snyk:docker). Although the workflow logs into GHCR on the host runner, those credentials are stored in the host's~/.docker/config.jsonwhich is not mounted into the Snyk container. When Snyk tries to pull the app image from GHCR, it gets a404 Not Foundbecause it has no auth.The Docker socket (
/var/run/docker.sock) is mounted, so the Snyk container talks to the same Docker daemon as the host. If the image is already pulled on the host, Snyk finds it locally without needing to pull.Fix
Add a
docker pullstep before the Snyk scan. This runs on the host (where GHCR login already happened), caching the image in the Docker daemon. Snyk then accesses it locally via the mounted socket.Known limitation
The
--file=./Dockerfileflag tells Snyk to resolve the base image (FROM registry.atlan.com/public/application-sdk:main-latest) for layer attribution. Snyk may still warn about being unable to pull the base image (SNYK-CBI-0014), but this is a non-blocking warning — the scan still runs and reports vulnerabilities. Full base image attribution would require addingregistry.atlan.comcredentials to the workflow.Impact
Fixes Snyk container scan for all 40+ app repos using this reusable workflow.
Ref: DISTR-213
Test plan
atlan-glue-app— verify Snyk job no longer fails with 404🤖 Generated with Claude Code