-
Notifications
You must be signed in to change notification settings - Fork 3
50 lines (41 loc) · 1.71 KB
/
docker-vulnerability-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
env:
ECR_REGISTRY: 729164266357.dkr.ecr.ca-central-1.amazonaws.com
jobs:
docker-vulnerability-scan:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- image: platform/apache
path: wordpress/docker/apache/Dockerfile
- image: platform/wordpress
path: wordpress/docker/Dockerfile
steps:
- name: Configure AWS credentials
id: aws-creds
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
- name: Get latest Docker image tag
run: |
IMAGE_TAG="$(aws ecr describe-images --output json --repository-name ${{ matrix.image }} --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | jq . --raw-output)"
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
- name: Docker vulnerability scan Wordpress
uses: cds-snc/security-tools/.github/actions/docker-scan@cfec0943e40dbb78cee115bbbe89dc17f07b7a0f # v2.1.3
with:
docker_image: "${{ env.ECR_REGISTRY }}/${{ matrix.image }}:${{ env.IMAGE_TAG }}"
dockerfile_path: "${{ matrix.path }}"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}