cyber-dojo · JonJagger · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -34,6 +34,11 @@ jobs:
       image_name:               ${{ steps.vars.outputs.image_name }}
       kosli_trail:              ${{ steps.vars.outputs.kosli_trail }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
@@ -55,29 +60,12 @@ jobs:
             echo "kosli_trail=${KOSLI_TRAIL}"                  
           } > ${GITHUB_OUTPUT}          
 
-      - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
-        uses: kosli-dev/setup-cli-action@v2
-        with:
-          version: ${{ vars.KOSLI_CLI_VERSION }}
-
-      - name: Create Kosli Flow
-        if: ${{ github.ref == 'refs/heads/main' }}
-        run:
-          kosli create flow "${KOSLI_FLOW}"
-            --description="Diff files from two traffic-lights"
-
       - name: Begin Kosli Trail
         if: ${{ github.ref == 'refs/heads/main' }}
-        run:
-          kosli begin trail "${KOSLI_TRAIL}"  
-            --template-file=.kosli.yml
-
-      - name: Write Trail URL to GitHub Step Summary
-        if: ${{ github.ref == 'refs/heads/main' }}
-        run: |
-          url="https://app.kosli.com/${KOSLI_ORG}/flows/${KOSLI_FLOW}/trails/${KOSLI_TRAIL}"
-          echo "[Kosli Trail](${url})" > "${GITHUB_STEP_SUMMARY}"
+        uses: cyber-dojo/kosli-begin-trail@main
+        with:
+          cli_version: "${{ vars.KOSLI_CLI_VERSION }}"
+          flow_description: "Diff files from two traffic-lights"
 
 
   pull-request:
@@ -89,6 +77,11 @@ jobs:
       contents:      read
       pull-requests: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
@@ -109,6 +102,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [setup]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
@@ -131,44 +129,6 @@ jobs:
             --results-dir=./reports/rubocop
 
 
-  snyk-code-scan:
-    runs-on: ubuntu-latest
-    needs: [setup]
-    env:
-      SARIF_FILENAME: snyk.code.scan.json
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Setup Snyk
-        uses: snyk/actions/setup@master
-
-      - name: Run Snyk code scan
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run:
-          snyk code test
-            --policy-path=.snyk
-            --sarif
-            --sarif-file-output="${SARIF_FILENAME}"
-            .
-
-      - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        uses: kosli-dev/setup-cli-action@v2
-        with:
-          version: ${{ vars.KOSLI_CLI_VERSION }}
-
-      - name: Attest evidence to Kosli
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        run:
-          kosli attest snyk
-            --attachments=.snyk
-            --name=differ.snyk-code-scan 
-            --scan-results="${SARIF_FILENAME}"
-
-
   build-image:
     needs: [setup]
     uses: cyber-dojo/reusable-actions-workflows/.github/workflows/secure-docker-build.yml@main
@@ -194,6 +154,11 @@ jobs:
     env:
       KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Download docker image
         uses: cyber-dojo/download-artifact@main
         with:
@@ -243,6 +208,11 @@ jobs:
     env:
       KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Download docker image
         uses: cyber-dojo/download-artifact@main
         with:
@@ -292,6 +262,11 @@ jobs:
     env:
       KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -308,6 +283,68 @@ jobs:
             -Dsonar.analysis.kosli_attestation=differ.sonarcloud-scan
 
 
+  snyk-container-scan:
+    needs: [build-image]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    env:
+      IMAGE_NAME:        ${{ needs.build-image.outputs.tagged_image_name }}
+      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
+      SARIF_FILENAME:    snyk.container.scan.json
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_BETA }}:role/gh_actions_services
+          aws-region: ${{ env.AWS_REGION }}
+          role-duration-seconds: 2400
+          role-session-name: ${{ github.event.repository.name }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Pull the docker image
+        run:
+          docker pull --platform=linux/amd64 "${IMAGE_NAME}"
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+        with:
+          snyk-version: v1.1300.2        
+
+      - name: Run Snyk container scan
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run:
+          snyk container test "${IMAGE_NAME}"
+            --policy-path=.snyk
+            --sarif
+            --sarif-file-output="${SARIF_FILENAME}"
+
+      - name: Setup Kosli CLI
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Attest evidence to Kosli
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        run:
+          kosli attest snyk
+            --attachments=.snyk
+            --name=differ.snyk-container-scan
+            --scan-results="${SARIF_FILENAME}"
+
+
   sdlc-control-gate:
     if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
@@ -317,11 +354,16 @@ jobs:
       - rubocop-lint
       - unit-tests
       - integration-tests
-      - snyk-code-scan
       - sonarcloud-scan
+      - snyk-container-scan
     env:
       KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Setup Kosli CLI
         uses: kosli-dev/setup-cli-action@v2
         with:
@@ -346,6 +388,11 @@ jobs:
       name: staging
       url:  https://beta.cyber-dojo.org
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0

diff --git a/.kosli.yml b/.kosli.yml
@@ -9,8 +9,6 @@ trail:
       attestations:
         - name: rubocop-lint
           type: junit
-        - name: snyk-code-scan
-          type: snyk
         - name: unit-test
           type: junit
         - name: unit-test-metrics
@@ -25,3 +23,5 @@ trail:
           type: custom:coverage-metrics
         - name: sonarcloud-scan
           type: sonar
+        - name: snyk-container-scan
+          type: snyk