Skip to content

Docker vulnerability scan #263

Docker vulnerability scan

Docker vulnerability scan #263

name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
permissions:
id-token: write # This is required for requesting the OIDC JWT
contents: read # This is required for actions/checkout
security-events: write # This is required for the docker-scan action
jobs:
docker-vulnerability-scan-k8s:
runs-on: ubuntu-latest
env:
DOCKERFILE_PATH: "ci/Dockerfile"
DOCKER_IMAGE: "public.ecr.aws/v6b8u5o6/notify-api"
steps:
- name: Configure credentials to CDS public ECR using OIDC
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::283582579564:role/notification-api-apply
role-session-name: NotifyApiGitHubActions
aws-region: "us-east-1"
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0
with:
registry-type: public
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3
with:
docker_image: "${{ env.DOCKER_IMAGE }}:latest"
dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}
docker-vulnerability-scan-lambda:
runs-on: ubuntu-latest
env:
DOCKERFILE_PATH: "ci/Dockerfile.lambda"
DOCKER_IMAGE: "${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify/api-lambda"
steps:
- name: Configure credentials to Notify account using OIDC
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}:role/notification-api-apply
role-session-name: NotifyApiGitHubActions
aws-region: "ca-central-1"
- name: Get latest Docker image tag
run: |
IMAGE_TAG="$(aws ecr describe-images --output json --repository-name notify/api-lambda --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | jq . --raw-output)"
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1.7.0
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3
with:
docker_image: "${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}"
dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}