diff --git a/Dockerfile b/Dockerfile index c9472f3..2cc787e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,9 @@ -ARG ALPINE_VERSION="3.19" +ARG BASE_RUNNER_IMAGE_VERSION="1.3.0" -FROM alpine:${ALPINE_VERSION} - -ARG BASH_VERSION="5" -ARG AWS_CLI_VERSION="2" -ARG JQ_VERSION="1" -ARG CURL_VERSION="8" -ARG GIT_VERSION="2" -ARG GITHUB_CLI_VERSION="2" +FROM heycardocker/infra-docker-actions:${BASE_RUNNER_IMAGE_VERSION} WORKDIR /scripts -RUN apk update --no-cache; \ - apk upgrade --no-cache; \ - apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq~=${JQ_VERSION} curl~=${CURL_VERSION} git~=${GIT_VERSION} github-cli~=${GITHUB_CLI_VERSION}; \ - rm -rf /var/cache/apk/* - ENV LOG_LEVEL "INFO" ENV LOG_TIMESTAMPED "true" ENV DEBUG_MODE "false" diff --git a/action.yml b/action.yml index feb0d4b..ae5f458 100644 --- a/action.yml +++ b/action.yml @@ -18,6 +18,9 @@ inputs: description: Set to true in order to enable timestamps on log messages required: false default: 'true' + aws-region: + description: AWS region to run in + required: true aws-account-id: description: AWS account ID to use for ECR repo required: true @@ -43,6 +46,7 @@ runs: LOG_LEVEL: ${{ inputs.log-level }} LOG_TIMESTAMPED: ${{ inputs.log-timestamped }} AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }} + AWS_REGION: ${{ inputs.aws-region }} ECR_REPO_NAME: ${{ inputs.ecr-repo-name }} ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }} USE_ALPHA_REGISTRY: ${{ inputs.use-alpha }} diff --git a/scripts/gh-utils.sh b/scripts/gh-utils.sh index d30eff8..a0adcd8 100644 --- a/scripts/gh-utils.sh +++ b/scripts/gh-utils.sh @@ -45,8 +45,8 @@ function comment_on_pull_request() { log_out "Commenting on ${_repo_org}/${_repo_name}#${_pr_number}" if [[ -z "${_comment_id}" ]]; then - printf "%s" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - + printf "%s" "$(cat "${_comment_body}")" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - else - printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - + printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "$(cat "${_comment_body}")" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - fi } diff --git a/scripts/script.sh b/scripts/script.sh index 18e8908..93d26cd 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -3,10 +3,30 @@ . "$(dirname "$0")/utils.sh" . "$(dirname "$0")/gh-utils.sh" +sleep 15 + +function get_scans() { + _scan_repo_name="${1}" + _scan_count="${2:-0}" + + if [[ $_scan_count -ge 3 ]]; then + log_fatal "Scan took toolong. Aborting." + fi + + _scan_results_tmp="$(aws --region "${AWS_REGION}" ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}")" + if [[ "$(echo "${_scan_results_tmp}" | jq '.imageScanStatus.status')" == "IN_PROGRESS" ]]; then + sleep 15 + get_scans "${_scan_repo_name}" $((_scan_count + 1)) + else + echo "${_scan_results_tmp}" | jq '.imageScanFindings.findingSeverityCounts // {}' + fi +} + REPO_ORG=${GITHUB_REPOSITORY_OWNER} REPO_NAME=$(echo "${GITHUB_REPOSITORY}" | cut -d "/" -f2) check_env_var "AWS_ACCOUNT_ID" +check_env_var "AWS_REGION" check_env_var "ECR_REPO_NAME" check_env_var "ECR_REPO_TAG" check_env_var "PR_NUMBER" @@ -21,21 +41,24 @@ _scan_repo_link="https://eu-central-1.console.aws.amazon.com/ecr/repositories/pr log_info "Fetching scan results from ECR" log_debug "repo=\"${_scan_repo_name}\" | imageTag=\"${ECR_REPO_TAG}\"" -_scan_results="$(aws ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}" | jq '.imageScanFindings.findingSeverityCounts // {}')" -_scan_results_comment="" +_scan_results="$(get_scans "${_scan_repo_name}")" + +_scan_results_comment="./.tmp.scan-results.txt" if [[ "${_scan_results}" == "{}" ]]; then log_info "Did not find any vulnerabilities on the ECR repo." - _scan_results_comment=":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:" + echo ":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:" >>"${_scan_results_comment}" else log_info "Found vulnerabilities on ECR." - _scan_results_comment="${_scan_results_comment}\n:warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):" - _scan_results_comment="${_scan_results_comment}\n- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**" - _scan_results_comment="${_scan_results_comment}\n- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**" - _scan_results_comment="${_scan_results_comment}\n- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**" - _scan_results_comment="${_scan_results_comment}\n- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**" - _scan_results_comment="${_scan_results_comment}\n- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**" - _scan_results_comment="${_scan_results_comment}\n- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**" + { + echo ":warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):" + echo "- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**" + echo "- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**" + echo "- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**" + echo "- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**" + echo "- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**" + echo "- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**" + } >>"${_scan_results_comment}" fi comment_on_pull_request "${REPO_ORG}" \ @@ -44,3 +67,9 @@ comment_on_pull_request "${REPO_ORG}" \ "${_scan_results_comment}" \ "true" \ "scan-results:${_scan_repo_name}" + +rm "${_scan_results_comment}" + +if [[ "$(echo "${_scan_results}" | jq '.CRITICAL // 0')" != 0 ]]; then + log_fatal "Please fix critical vulnerabilities" +fi