Skip to content

Docker vulnerability scan #733

Docker vulnerability scan

Docker vulnerability scan #733

name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
env:
REGISTRY: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/security-tools
permissions:
id-token: write
security-events: write
jobs:
docker-vulnerability-scan:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- cloud_asset_inventory/cloudquery
- csp_violation_report_service
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/security-tools-apply
role-session-name: ECRPush
aws-region: ca-central-1
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
with:
docker_image: "${{ env.REGISTRY }}/${{ matrix.image }}:latest"
dockerfile_path: "images/${{ matrix.image }}/Dockerfile"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}