fix: changed base docker image to use pre-built base (#7)

* fix: changed base docker image to use pre-built base

* fix: changed to public image

* fix: added missing aws region

* chore: debugging

* fix: added scan retries

Dockerfile

@@ -1,21 +1,9 @@
-ARG ALPINE_VERSION="3.19"
+ARG BASE_RUNNER_IMAGE_VERSION="1.3.0"
 
-FROM alpine:${ALPINE_VERSION}
-
-ARG BASH_VERSION="5"
-ARG AWS_CLI_VERSION="2"
-ARG JQ_VERSION="1"
-ARG CURL_VERSION="8"
-ARG GIT_VERSION="2"
-ARG GITHUB_CLI_VERSION="2"
+FROM heycardocker/infra-docker-actions:${BASE_RUNNER_IMAGE_VERSION}
 
 WORKDIR /scripts
 
-RUN apk update --no-cache; \
-    apk upgrade --no-cache; \
-    apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq~=${JQ_VERSION} curl~=${CURL_VERSION} git~=${GIT_VERSION} github-cli~=${GITHUB_CLI_VERSION}; \
-    rm -rf /var/cache/apk/*
-
 ENV LOG_LEVEL "INFO"
 ENV LOG_TIMESTAMPED "true"
 ENV DEBUG_MODE "false"

action.yml

@@ -18,6 +18,9 @@ inputs:
     description: Set to true in order to enable timestamps on log messages
     required: false
     default: 'true'
+  aws-region:
+    description: AWS region to run in
+    required: true
   aws-account-id:
     description: AWS account ID to use for ECR repo
     required: true
@@ -43,6 +46,7 @@ runs:
     LOG_LEVEL: ${{ inputs.log-level }}
     LOG_TIMESTAMPED: ${{ inputs.log-timestamped }}
     AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }}
+    AWS_REGION: ${{ inputs.aws-region }}
     ECR_REPO_NAME: ${{ inputs.ecr-repo-name }}
     ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }}
     USE_ALPHA_REGISTRY: ${{ inputs.use-alpha }}

scripts/gh-utils.sh

@@ -45,8 +45,8 @@ function comment_on_pull_request() {
 
   log_out "Commenting on ${_repo_org}/${_repo_name}#${_pr_number}"
   if [[ -z "${_comment_id}" ]]; then
-    printf "%s" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
+    printf "%s" "$(cat "${_comment_body}")" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
   else
-    printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
+    printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "$(cat "${_comment_body}")" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
   fi
 }

scripts/script.sh

@@ -3,10 +3,30 @@
 . "$(dirname "$0")/utils.sh"
 . "$(dirname "$0")/gh-utils.sh"
 
+sleep 15
+
+function get_scans() {
+  _scan_repo_name="${1}"
+  _scan_count="${2:-0}"
+
+  if [[ $_scan_count -ge 3 ]]; then
+    log_fatal "Scan took toolong. Aborting."
+  fi
+
+  _scan_results_tmp="$(aws --region "${AWS_REGION}" ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}")"
+  if [[ "$(echo "${_scan_results_tmp}" | jq '.imageScanStatus.status')" == "IN_PROGRESS" ]]; then
+    sleep 15
+    get_scans "${_scan_repo_name}" $((_scan_count + 1))
+  else
+    echo "${_scan_results_tmp}" | jq '.imageScanFindings.findingSeverityCounts // {}'
+  fi
+}
+
 REPO_ORG=${GITHUB_REPOSITORY_OWNER}
 REPO_NAME=$(echo "${GITHUB_REPOSITORY}" | cut -d "/" -f2)
 
 check_env_var "AWS_ACCOUNT_ID"
+check_env_var "AWS_REGION"
 check_env_var "ECR_REPO_NAME"
 check_env_var "ECR_REPO_TAG"
 check_env_var "PR_NUMBER"
@@ -21,21 +41,24 @@ _scan_repo_link="https://eu-central-1.console.aws.amazon.com/ecr/repositories/pr
 
 log_info "Fetching scan results from ECR"
 log_debug "repo=\"${_scan_repo_name}\" | imageTag=\"${ECR_REPO_TAG}\""
-_scan_results="$(aws ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}" | jq '.imageScanFindings.findingSeverityCounts // {}')"
 
-_scan_results_comment=""
+_scan_results="$(get_scans "${_scan_repo_name}")"
+
+_scan_results_comment="./.tmp.scan-results.txt"
 if [[ "${_scan_results}" == "{}" ]]; then
   log_info "Did not find any vulnerabilities on the ECR repo."
-  _scan_results_comment=":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:"
+  echo ":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:" >>"${_scan_results_comment}"
 else
   log_info "Found vulnerabilities on ECR."
-  _scan_results_comment="${_scan_results_comment}\n:warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):"
-  _scan_results_comment="${_scan_results_comment}\n- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**"
-  _scan_results_comment="${_scan_results_comment}\n- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**"
-  _scan_results_comment="${_scan_results_comment}\n- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**"
-  _scan_results_comment="${_scan_results_comment}\n- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**"
-  _scan_results_comment="${_scan_results_comment}\n- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**"
-  _scan_results_comment="${_scan_results_comment}\n- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**"
+  {
+    echo ":warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):"
+    echo "- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**"
+    echo "- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**"
+    echo "- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**"
+    echo "- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**"
+    echo "- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**"
+    echo "- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**"
+  } >>"${_scan_results_comment}"
 fi
 
 comment_on_pull_request "${REPO_ORG}" \
@@ -44,3 +67,9 @@ comment_on_pull_request "${REPO_ORG}" \
   "${_scan_results_comment}" \
   "true" \
   "scan-results:${_scan_repo_name}"
+
+rm "${_scan_results_comment}"
+
+if [[ "$(echo "${_scan_results}" | jq '.CRITICAL // 0')" != 0 ]]; then
+  log_fatal "Please fix critical vulnerabilities"
+fi