Skip to content

dod-iac/orb-ecr-image-scan-findings

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.circleci
.circleci
 
 
.markdownlintrc
.markdownlintrc
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
orb.yml
orb.yml
 
 

Repository files navigation

CircleCI Orb ecr-image-scan-findings

Scans the uploaded ECR image and outputs the findings.

Usage

For full usage guidelines, see the orb registry listing.

Expectations

  • Use this orb with an ECR repository where an image has been uploaded

Parameters

All the parameters are environment variables. These are described below:

Name Description
AWS_ROLE_ARN The ARN of the role to assume. Must have IAM action ecr:DescribeImageScanFindings.
AWS_ROLE_SESSION_NAME An identifier for the assumed role session.
ECR_REPOSITORY_NAME The name of the ECR repository where the image has been uploaded and scanned
ECR_IMAGE_ID An object with identifying information for an Amazon ECR image. Either 'imageDigest=string' or 'imageTag=string'.

Examples

Usage when using a sha256 sum as the image digest:

orbs:
  ecr-image-scan-findings: dod-iac/ecr-image-scan-findings@1.0.0

jobs:
  push:
    executor: main
    environment:
      ECR_REPOSITORY_NAME: <REPO_NAME>
    steps:
      - checkout
      - setup_remote_docker:
          docker_layer_caching: false
      - ecr-image-scan-findings/setup
      - run: ./scripts/push-image.sh
      - run: |
          ECR_IMAGE_ID=sha256:<IMAGE_SHA>
          echo "export ECR_IMAGE_ID=imageDigest=${ECR_IMAGE_ID}" >> $BASH_ENV
      - ecr-image-scan-findings/scan

Usage when using an image tag:

orbs:
  ecr-image-scan-findings: dod-iac/ecr-image-scan-findings@1.0.0

jobs:
  push:
    executor: main
    environment:
      ECR_REPOSITORY_NAME: <REPO_NAME>
    steps:
      - checkout
      - setup_remote_docker:
          docker_layer_caching: false
      - ecr-image-scan-findings/setup
      - run: ./scripts/push-image.sh
      - run: |
          ECR_IMAGE_ID=<IMAGE_TAG>
          echo "export ECR_IMAGE_ID=imageTag=${ECR_IMAGE_ID}" >> $BASH_ENV
      - ecr-image-scan-findings/scan

Developer Setup

Install dependencies:

brew install circleci pre-commit
pre-commit install

Setup circleci access with:

circleci setup

Testing Changes

Changes should be applied to orb.yml.

Validate your changes using the circleci orb command:

make validate

Dev Deployment

Publish a dev version to test with:

make publish-dev

Use this dev version to test in a repository of your choosing before continuing.

Prod Deployment

Create a PR in here to review your changes.

Once approved, publish the production version of the orb:

make publish-prod

The orb version displayed in the CircleCI orb registry is the new version to use.

Merge the pull requests.

References

License

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.

About

Scans the uploaded ECR image and outputs the findings.

circleci.com/developer/orbs/orb/dod-iac/ecr-image-scan-findings

Topics

docker aws scan ecr ecr-repositories findings

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

0 forks
Report repository

Languages