Build & Scan Container Image #936

Workflow file for this run

.github/workflows/build_scan_container.yml at d771038

	name: Build & Scan Container Image

	# This workflow demonstrates how to build
	# a Docker image, and then scan the image
	# with Inspector. This workflow runs automatically
	# every 6 hours, and on pushes.

	on:
	schedule:
	- cron: '0 /6 * *' # runs every 6 hours
	push:
	branches: #
	- '*'

	jobs:
	build:
	name: Build docker image
	runs-on: ubuntu-latest
	environment:
	name: plugin-development

	steps:
	- name: Checkout this repository
	uses: actions/checkout@v4

	- name: Set up docker build prereqs (QEMU)
	uses: docker/setup-qemu-action@v3

	- name: Set up docker build prereqs (Buildx)
	uses: docker/setup-buildx-action@v3

	- name: Build Docker image
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ./Dockerfile
	push: false
	tags: app:latest
	load: true

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-region: ${{ secrets.AWS_REGION }}
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	role-to-assume: ${{ secrets.AWS_IAM_ROLE }}

	- name: Scan built image with Inspector
	uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
	id: inspector
	with:
	artifact_type: 'container'
	artifact_path: 'app:latest'
	display_vulnerability_findings: "enabled"
	output_sbom_path: 'sbom.json'
	output_inspector_scan_path: 'inspector_scan.json'
	output_inspector_scan_path_csv: 'inspector_pkg_scan.csv'
	output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv'
	output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md'
	critical_threshold: 1
	high_threshold: 1
	medium_threshold: 1
	low_threshold: 1
	other_threshold: 1
	sbomgen_version: "latest"

	- name: Demonstrate SBOM Output (JSON)
	run: cat ${{ steps.inspector.outputs.artifact_sbom }}

	- name: Demonstrate Inspector Scan Output (JSON)
	run: cat ${{ steps.inspector.outputs.inspector_scan_results }}

	- name: Demonstrate Inspector Scan Output (CSV)
	run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }}

	- name: Display Dockerfile vulns (CSV)
	run: cat inspector_dockerfile_scan.csv

	- name: Display Dockerfile vulns (MD)
	run: cat inspector_dockerfile_scan.md

	- name: Debug Dockerfile output variables
	run: \|
	echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
	echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}

	- name: Demonstrate Upload Scan Results
	uses: actions/upload-artifact@v4
	with:
	name: Inspector Scan SBOM Results
	path: \|
	${{ steps.inspector.outputs.artifact_sbom }}
	${{ steps.inspector.outputs.inspector_scan_results }}
	${{ steps.inspector.outputs.inspector_scan_results_csv }}
	${{ steps.inspector.outputs.inspector_scan_results_markdown }}
	${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }}
	${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }}

	- name: On vulnerability threshold exceeded

	# substitute 'exit' for 'echo' if you want to fail the job
	run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build & Scan Container Image #936

Workflow file

Build & Scan Container Image #936

Jobs

Run details

Workflow file for this run