Skip to content

Docker vulnerability scan #697

Docker vulnerability scan

Docker vulnerability scan #697

name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
env:
DOCKER_SLUG: public.ecr.aws/cds-snc/notify-document-download-api
permissions:
id-token: write # This is required for requesting the OIDC JWT
contents: read # This is required for actions/checkout
security-events: write # This is required for the docker-scan action
jobs:
docker-vulnerability-scan:
runs-on: ubuntu-latest
steps:
- name: Configure credentials to CDS public ECR using OIDC
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
role-to-assume: arn:aws:iam::283582579564:role/notification-document-download-api-apply
role-session-name: NotifyDocumentDownloadApiGitHubActions
aws-region: "us-east-1"
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
with:
registry-type: public
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.DOCKER_SLUG }}:latest"
dockerfile_path: "ci/Dockerfile"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}