Docker vulnerability scan #312

	name: Docker vulnerability scan

	on:
	workflow_dispatch:
	schedule:
	- cron: "0 4 * * *"

	env:
	REGISTRY: ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/security-tools

	permissions:
	id-token: write
	security-events: write

	jobs:
	docker-vulnerability-scan:
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	image:
	- cloud_asset_inventory/cloudquery
	- csp_violation_report_service

	steps:
	- name: Checkout
	uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

	- name: Configure AWS credentials using OIDC
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/security-tools-apply
	role-session-name: ECRPush
	aws-region: ca-central-1

	- name: Login to ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1

	- name: Docker vulnerability scan
	uses: cds-snc/security-tools/.github/actions/docker-scan@eecd7a02a0294b379411c126b61e5c29e253676a # v2.1.4
	with:
	docker_image: "${{ env.REGISTRY }}/${{ matrix.image }}:latest"
	dockerfile_path: "images/${{ matrix.image }}/Dockerfile"
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Logout of Amazon ECR
	run: docker logout ${{ steps.login-ecr.outputs.registry }}

Provide feedback