Scan an image uploaded to ECR and fail if vulnerabilities are found.
As of version 3.0.0
, only enhanced scanning is supported. Basic scanning support has been removed from this version onwards. If you still need basic scanning support, please use version ^2.0.1
. To enable enhanced scanning, check out the AWS documentation.
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: v1.2.3
fail_threshold: high
Input | Required? | Description |
---|---|---|
repository | ✅ | ECR repository, eg myorg/myimage |
tag | ✅ | Image tag to scan |
fail_threshold | Fail if any vulnerabilities equal to or over this severity level are detected. Valid values: critical , high , medium , low , informational . Default value is high . |
|
missedCVELogLevel | Set the log level for missed CVEs. Valid values: error , warn . Determines whether a core.error or a core.warning is raised when the ignore list contains CVE IDs that were not found in the scan results. Default value is error. |
|
ignore_list | List of CVE IDs to ignore.ignore_list can either be a multi-line string (like the example below) or a list (separated using commas or spaces) containing CVE IDs to be ignored. |
Output | Description |
---|---|
total | Total number of vulnerabilities detected. |
critical | Number of critical vulnerabilities detected. |
high | Number of high vulnerabilities detected. |
medium | Number of medium vulnerabilities detected. |
low | Number of low vulnerabilities detected. |
informational | Number of informational vulnerabilities detected. |
unknown | Number of unknown vulnerabilities detected. |
findingsDetails | Details of findings. |
To use this GitHub action in your workflow, your ECR role/user will need to have the following permissions:
ecr:DescribeImageScanFindings
ecr:StartImageScan
(unless scan on push is enabled)
This example builds a docker image, uploads it to AWS ECR, then scans it for vulnerabilities.
on:
# Trigger on any GitHub release.
# If you want to trigger on tag creation, use `create`. However, this also
# fires for branch creation events which will break this example workflow.
- release
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build & Push Docker image
id: docker-build
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: myorg/myimage
# Use the git tag as the image tag.
# github.ref format is like `refs/tags/v0.0.1`, so we strip the the
# `refs/tags/` prefix and export this for later use.
IMAGE_TAG: ${{ github.ref }}
run: |
tag=${IMAGE_TAG##refs/tags/}
echo "Tag is $tag"
echo "::set-output name=tag::$tag"
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$tag .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$tag
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: ${{ steps.docker-build.outputs.tag }}
# fail_threshold: medium
# ignore_list: |
# CVE-2014-7654321
# CVE-2014-456132
# Access scan results in later steps
- run: echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."
This action is implemented as a Docker rather than a Javascript action because that would require committing node_modules to the repository.
You can test the action by running it locally like so:
docker build -t ecr-scan-image:dev .
docker run -t \
-e INPUT_REPOSITORY=myorg/myapp \
-e INPUT_TAG=test-tag \
-e INPUT_FAIL_THRESHOLD=critical \
-e AWS_ACCESS_KEY_ID=xxx \
-e AWS_SECRET_ACCESS_KEY=xxx \
-e AWS_REGION=xxx \
ecr-scan-image:dev