-
Notifications
You must be signed in to change notification settings - Fork 10
129 lines (115 loc) · 4.15 KB
/
ecr-scheduled-security-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: ECR vulnerability detection
on:
schedule:
- cron: '0 9 * * *'
push:
branches:
- master
jobs:
vulnerability-detection:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
## Alpine
### Alpine 3.18
- image: "alpine/3.18/8.1/Dockerfile"
tags: "8.1-alpine3.18"
platforms: "linux/amd64"
- image: "alpine/3.18/8.2/Dockerfile"
tags: "8.2-alpine3.18"
platforms: "linux/amd64"
- image: "alpine/3.18/8.3/Dockerfile"
tags: "8.3-alpine3.18"
platforms: "linux/amd64"
### Alpine 3.19
- image: "alpine/3.19/8.1/Dockerfile"
tags: "8.1-alpine3.19"
platforms: "linux/amd64"
- image: "alpine/3.19/8.2/Dockerfile"
tags: "8.2-alpine3.19"
platforms: "linux/amd64"
- image: "alpine/3.19/8.3/Dockerfile"
tags: "8.3-alpine3.19"
platforms: "linux/amd64"
### Alpine 3.20
- image: "alpine/3.20/8.1/Dockerfile"
tags: "8.1-alpine3.20"
platforms: "linux/amd64"
- image: "alpine/3.20/8.2/Dockerfile"
tags: "8.2-alpine3.20"
platforms: "linux/amd64"
- image: "alpine/3.20/8.3/Dockerfile"
tags: "8.3-alpine3.20"
platforms: "linux/amd64"
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Login to AWS ECR
uses: aws-actions/amazon-ecr-login@v1
- name: Build and push
id: docker-build
uses: docker/build-push-action@v2
with:
push: true
file: ${{ matrix.image }}
tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/${{ secrets.AWS_ECR_REPO }}:${{ matrix.tags }}-${{ github.sha }}
platforms: ${{ matrix.platforms }}
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: ${{ secrets.AWS_ECR_REPO }}
tag: ${{ join(matrix.tags) }}-${{ github.sha }}
- name: Delete images after scan images
run: |
aws ecr batch-delete-image --repository-name ${{ secrets.AWS_ECR_REPO }} --image-id imageTag="${{ join(matrix.tags) }}-${{ github.sha }}"
- run: |
echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."
- name: Set Date and Time
id: set-date
if: github.event.schedule == '0 9 * * *'
run: echo "::set-output name=current_datetime::$(date +'%Y-%m-%d %H:%M:%S')"
- name: Set Color
id: set-color
if: github.event.schedule == '0 9 * * *'
run: |
if [[ "${{ true }}" ]]; then
COLOR="#008000"
else
COLOR="#ff0000"
fi
echo "::set-output name=color::$COLOR"
- name: Send GitHub Action trigger data to Slack workflow
id: slack
if: github.event.schedule == '0 9 * * *'
uses: slackapi/[email protected]
with:
payload: |
{
"text": "Scanned image tag *${{ matrix.tags }}*.",
"attachments": [
{
"pretext": "ECR vulnerability scan outputs for ${{ steps.set-date.outputs.current_datetime }}",
"color": "${{ steps.set-color.outputs.color }}",
"fields": [
{
"title": "Status",
"short": true,
"value": "*${{ steps.docker-scan.outputs.total }}* total vulnerabilities"
}
]
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Fail the execution
if: ${{ steps.docker-scan.outputs.total > 0 }}
run: exit 1