Docker vulnerability scan #669

	name: Docker vulnerability scan

	on:
	workflow_dispatch:
	schedule:
	- cron: "0 4 * * *"

	env:
	REPOSITORY: aws-sentinel-connector
	REGISTRY: public.ecr.aws/cds-snc

	permissions:
	id-token: write
	security-events: write

	jobs:
	docker-vulnerability-scan:
	runs-on: ubuntu-latest

	steps:
	- name: Configure aws credentials using OIDC
	uses: aws-actions/configure-aws-credentials@master
	with:
	role-to-assume: arn:aws:iam::283582579564:role/aws-sentinel-connector-layer-apply
	role-session-name: SentinelGitHubActions
	aws-region: "us-east-1"

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
	with:
	registry-type: public

	- name: Get latest Docker image tag
	run: \|
	IMAGE_TAG="$(aws ecr-public describe-images --output json --repository-name aws-sentinel-connector --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' \| jq . --raw-output)"
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

	- name: Docker vulnerability scan
	uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
	env:
	TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
	with:
	docker_image: "${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}"
	dockerfile_path: "layer/Dockerfile"
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Logout of Amazon ECR
	run: docker logout ${{ steps.login-ecr.outputs.registry }}

Provide feedback