From 8fcea0984d48a17333f04a276a2bf206e6a96eec Mon Sep 17 00:00:00 2001
From: JonJagger <jon@kosli.com>
Date: Sat, 21 Feb 2026 10:31:07 +0000
Subject: [PATCH] Use composite for snyk-container-test

---
 .github/workflows/main.yml | 78 +++++++++-----------------------------
 1 file changed, 17 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1bb5f5a..32fdc52 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -148,6 +148,23 @@ jobs:
       kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
 
 
+  # https://github.com/cyber-dojo/snyk-container-test/blob/main/action.yml
+  snyk-container-scan:
+    needs: [build-image]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Run snyk-container-test and attest results to Kosli
+        uses: cyber-dojo/snyk-container-test@main
+        with:
+          snyk_token:        ${{ secrets.SNYK_TOKEN }}
+          image_name:        ${{ needs.build-image.outputs.tagged_image_name }}
+          kosli_cli_version: ${{ vars.KOSLI_CLI_VERSION }}
+          attestation_name:  differ.snyk-container-scan
+
+
   unit-tests:
     runs-on: ubuntu-latest
     needs: [build-image]
@@ -283,67 +300,6 @@ jobs:
             -Dsonar.analysis.kosli_attestation=differ.sonarcloud-scan
 
 
-  snyk-container-scan:
-    needs: [build-image]
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: write
-    env:
-      IMAGE_NAME:        ${{ needs.build-image.outputs.tagged_image_name }}
-      KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }}
-      SARIF_FILENAME:    snyk.container.scan.json
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_BETA }}:role/gh_actions_services
-          aws-region: ${{ env.AWS_REGION }}
-          role-duration-seconds: 2400
-          role-session-name: ${{ github.event.repository.name }}
-
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-
-      - name: Pull the docker image
-        run:
-          docker pull --platform=linux/amd64 "${IMAGE_NAME}"
-
-      - name: Setup Snyk
-        uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1300.2        
-
-      - name: Run Snyk container scan
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run:
-          snyk container test "${IMAGE_NAME}"
-            --policy-path=.snyk
-            --sarif
-            --sarif-file-output="${SARIF_FILENAME}"
-
-      - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        uses: kosli-dev/setup-cli-action@v2
-        with:
-          version: ${{ vars.KOSLI_CLI_VERSION }}
-
-      - name: Attest evidence to Kosli
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        run:
-          kosli attest snyk
-            --attachments=.snyk
-            --name=differ.snyk-container-scan
-            --scan-results="${SARIF_FILENAME}"
-
 
   sdlc-control-gate:
     if: ${{ github.ref == 'refs/heads/main' }}