generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 0
40 lines (33 loc) · 1.24 KB
/
docker_vulnerability_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
env:
AWS_REGION: ca-central-1
ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/list-manager
permissions:
id-token: write
contents: write
security-events: write
jobs:
docker-vulnerability-scan:
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/list-manager-plan
role-session-name: ECRPull
aws-region: ${{ env.AWS_REGION }}
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@598deeaed48ab3bb0df85f0ed124ba53f0ade385 # v3.1.0
with:
docker_image: "${{ env.ECR_REGISTRY }}/api:latest"
dockerfile_path: "api/Dockerfile"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}