This action can be used to check the findings of an amazon inspector scan. It has only been tested with inspector v2. Currently the action also only supports checking the results of scans on images pushed to ecr. May be modified for lambdas and ec2 instances in the future.
- uses: ecperth/check-aws-inspector@v2
with:
# ecr repository name
repository:
# ecr registry id (Optional)(
# aws account id which containts the ecr registry. Only required if
# different from primary aws account id of authed role
registry-id:
# image tag
tag:
# vulnerability severity to cause action to fail (Optional)
# if provided the action will fail if a vulnerability of that severity or higher is
# found. [ CRITICAL | HIGH | MEDIUM | LOW | INFORMATIONAL| UNDEFINED ]
fail-on:
# vulnerabilityIds to ignore (Optional)
# seperated by spaces, commas or newlines
ignore:
# time (seconds) to get complete status from ecr before action fails
timeout:
# time (seconds) between polls for consistency
# i suggest reading the explanation below and experimenting for yourself
# as aws inspector behaviour may change making this unnecessary
consistency-delay:
There is just one output findingSeverityCounts which is json containting the severity counts for example:
{ CRITICAL: 2, HIGH: 5, MEDIUM: 10, LOW: 17 }
Get access token from GitHub OIDC, build and push image, check results of scan.
jobs:
test-check-aws-inspector-action:
runs-on: ubuntu-latest
name: Test check-aws-inspector
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: {IAM_ROLE}
aws-region: ap-southeast-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.event.inputs.tag }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
- name: Check results of aws inspect on image
id: check-aws-inspector
uses: ecperth/check-aws-inspector@v2
with:
repository: my-ecr-repo
registry-id: my-ecr-repo
tag: ${{ github.event.inputs.tag }}
fail-on: CRITICAL
ignore:
CVE-2023-40217
CVE-2023-36054
timeout: 60
consistency-delay: 15
- name: Print the findings regardless of fail
if: always()
run: echo "${{ steps.check-aws-inspector.outputs.findingSeverityCounts }}"
Required permission to check scan findings of ecr image with amazon inspector:
data "aws_iam_policy_document" "example" {
statement {
sid = "AllowEcrRepoAccess"
effect = "Allow"
actions = ["ecr:DescribeImageScanFindings"]
resources = [{repo-arn}]
}
statement {
sid = "AllowAwsInspectAccess"
effect = "Allow"
actions = ["inspector2:ListCoverage", "inspector2:ListFindings"]
resources = ["*"]
}
}
For more concrete example check out what i did here.
In my testing i noticed that after a COMPLETE scan status is returned from the ecr api, the findings will take a while to all roll in. I added code in my action to re-poll the ecr api for findings once the status is COMPLETE untill it gets the same result set twice. The consistency-delay input is the time between these re-polls. 15 seconds consistently produced a full set of results for me but i was testing on a image with a lot of vulnerabilities.
Polling for complete scan...
Scan status is "Pending"
Polling for complete scan...
scan complete!
{ HIGH: 1, MEDIUM: 1 }
Polling for consitency...
{ HIGH: 73, MEDIUM: 144, LOW: 19, CRITICAL: 14 }
Polling for consitency...
{ HIGH: 97, MEDIUM: 199, LOW: 28, CRITICAL: 16 }
Polling for consitency...
{ HIGH: 97, MEDIUM: 199, LOW: 28, CRITICAL: 16 }
Consistent Results!
Basic setup
git clone https://github.com/ecperth/check-aws-inspector
cd check-aws-inspector
npm install
Unit tests
npm run test
Bundle
npm run bundle
Nothing more to it than that!
On the off chance someone would like to contribute to the repo just bundle the branch locally and pr. I will set up some basic cicd l8r.