Build & Scan Container Image #55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Scan Container Image | |
| # This workflow demonstrates how to build | |
| # a Docker image, and then scan the image | |
| # with Inspector. This workflow runs automatically | |
| # every 6 hours, and on pushes. | |
| on: | |
| schedule: | |
| - cron: '0 */6 * * *' # runs every 6 hours | |
| push: | |
| branches: # | |
| - '*' | |
| jobs: | |
| build: | |
| name: Build docker image | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: plugin-development | |
| steps: | |
| - name: Checkout this repository | |
| uses: actions/checkout@v4 | |
| - name: Set up docker build prereqs (QEMU) | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up docker build prereqs (Buildx) | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| tags: app:latest | |
| load: true | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| # TODO: use an IAM role | |
| - name: Scan built image with Inspector | |
| uses: aws/amazon-inspector-github-actions-plugin@main | |
| # TODO: bump action to v1 on release | |
| id: inspector | |
| with: | |
| artifact_type: 'container' | |
| artifact_path: 'ubuntu:14.04' | |
| output_sbom_path: 'sbom.json' | |
| output_inspector_scan_path: 'inspector_scan.json' | |
| output_inspector_scan_path_csv: 'inspector_scan.csv' | |
| critical_threshold: 1 | |
| high_threshold: 1 | |
| medium_threshold: 1 | |
| low_threshold: 1 | |
| other_threshold: 1 | |
| - name: Demonstrate SBOM Output (JSON) | |
| run: cat ${{ steps.inspector.outputs.artifact_sbom }} | |
| - name: Demonstrate Inspector Scan Output (JSON) | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results }} | |
| - name: Demonstrate Inspector Scan Output (CSV) | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} | |
| - name: Demonstrate Upload Scan Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Inspector Scan SBOM Results | |
| path: | | |
| ${{ steps.inspector.outputs.inspector_scan_results }} | |
| ${{ steps.inspector.outputs.inspector_scan_results_csv }} | |
| ${{ steps.inspector.outputs.artifact_sbom }} | |
| - name: On vulnerability threshold exceeded | |
| # substitute 'exit' for 'echo' if you want to fail the job | |
| run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} | |