From 5d364545bda670c03faab6de14400174d633cc6a Mon Sep 17 00:00:00 2001
From: Denys Holius <5650611+denisgolius@users.noreply.github.com>
Date: Tue, 2 Aug 2022 09:54:39 +0300
Subject: [PATCH] deployment/docker/Makefile: added docker-scan (#2916)

* deployment/docker/Makefile: added docker-scan

docker-scan based on native 'docker scan' function that use snyk.io, see https://docs.docker.com/engine/scan/

* set to call 'docker-scan after release binaries but before publishing
---
 Makefile                   | 2 +-
 deployment/docker/Makefile | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 25fdee19d..04bb600c3 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,7 @@ all: \
 clean:
 	rm -rf bin/*
 
-publish: \
+publish: docker-scan \
 	publish-victoria-metrics \
 	publish-vmagent \
 	publish-vmalert \
diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile
index 0479c8be4..6def5a869 100644
--- a/deployment/docker/Makefile
+++ b/deployment/docker/Makefile
@@ -16,6 +16,9 @@ package-base:
 			--tag $(BASE_IMAGE) \
 			deployment/docker/base
 
+docker-scan: package-base
+	docker scan --accept-license $(BASE_IMAGE) || (echo "❌ The build has been terminated because critical vulnerabilities were found in $(BASE_IMAGE)"; exit 1)
+
 package-builder:
 	(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(BUILDER_IMAGE)$$') \
 		|| docker build \