Docker vulnerability scan #556

Workflow file for this run

.github/workflows/docker-vulnerability-scan.yml at c237e66

	name: Docker vulnerability scan

	on:
	workflow_dispatch:
	schedule:
	- cron: "0 4 * * *"

	permissions:
	id-token: write # This is required for requesting the OIDC JWT
	contents: read # This is required for actions/checkout
	security-events: write # This is required for the docker-scan action

	jobs:
	docker-vulnerability-scan-k8s:
	runs-on: ubuntu-latest
	env:
	DOCKERFILE_PATH: "ci/Dockerfile"
	DOCKER_IMAGE: "public.ecr.aws/v6b8u5o6/notify-api"

	steps:
	- name: Configure credentials to CDS public ECR using OIDC
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::283582579564:role/notification-api-apply
	role-session-name: NotifyApiGitHubActions
	aws-region: "us-east-1"

	- name: Login to ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
	with:
	registry-type: public

	- name: Docker vulnerability scan
	uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
	with:
	docker_image: "${{ env.DOCKER_IMAGE }}:latest"
	dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
	token: "${{ secrets.GITHUB_TOKEN }}"

	- name: Logout of Amazon ECR
	run: docker logout ${{ steps.login-ecr.outputs.registry }}

	docker-vulnerability-scan-lambda:
	runs-on: ubuntu-latest
	env:
	DOCKERFILE_PATH: "ci/Dockerfile.lambda"
	DOCKER_IMAGE: "${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify/api-lambda"

	steps:
	- name: Configure credentials to Notify account using OIDC
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}:role/notification-api-apply
	role-session-name: NotifyApiGitHubActions
	aws-region: "ca-central-1"

	- name: Get latest Docker image tag
	run: \|
	IMAGE_TAG="$(aws ecr describe-images --output json --repository-name notify/api-lambda --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' \| jq . --raw-output)"
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

	- name: Login to ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1

	- name: Docker vulnerability scan
	uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
	with:
	docker_image: "${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}"
	dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
	token: "${{ secrets.GITHUB_TOKEN }}"

	- name: Logout of Amazon ECR
	run: docker logout ${{ steps.login-ecr.outputs.registry }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker vulnerability scan #556

Workflow file

Docker vulnerability scan #556

Jobs

Run details

Workflow file for this run