Docker vulnerability scan #496

	name: Docker vulnerability scan

	on:
	workflow_dispatch:
	schedule:
	- cron: "0 4 * * *"

	env:
	AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
	AWS_REGION: ca-central-1
	ECR_REPOSITORY: form_viewer_staging

	permissions:
	id-token: write
	contents: write
	security-events: write

	jobs:
	docker-vulnerability-scan:
	runs-on: ubuntu-latest
	steps:
	- name: Configure AWS credentials using OIDC
	uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/platform-forms-client-plan
	role-session-name: ECRPull
	aws-region: ${{ env.AWS_REGION }}

	- name: Login to Staging Amazon ECR
	id: login-ecr-staging
	uses: aws-actions/amazon-ecr-login@039b1642a3b6ca5a34a4a5cc9ffa2ddc195fdd2f

	- name: Docker vulnerability scan
	uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
	env:
	ECR_REGISTRY: ${{ steps.login-ecr-staging.outputs.registry }}
	with:
	docker_image: "${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest"
	dockerfile_path: "Dockerfile"
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Logout of Staging Amazon ECR
	if: always()
	run: docker logout ${{ steps.login-ecr-staging.outputs.registry }}

Provide feedback