Skip to content

Github Action to run AWS ECR vulnerability scan on Docker image

License

Notifications You must be signed in to change notification settings

alexjurkiewicz/ecr-scan-image

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

ECR Image Scan Github Action

Scan an image uploaded to ECR and fail if vulnerabilities are found.

IMPORTANT UPDATE: Enhanced/Basic Scanning Support from v3.0.0

As of version 3.0.0, only enhanced scanning is supported. Basic scanning support has been removed from this version onwards. If you still need basic scanning support, please use version ^2.0.1. To enable enhanced scanning, check out the AWS documentation.

Quick Start

      - name: Scan Docker image
        id: docker-scan
        uses: alexjurkiewicz/[email protected]
        with:
          repository: myorg/myimage
          tag: v1.2.3
          fail_threshold: high

Inputs

Input Required? Description
repository ECR repository, eg myorg/myimage
tag Image tag to scan
fail_threshold Fail if any vulnerabilities equal to or over this severity level are detected. Valid values: critical, high, medium, low, informational. Default value is high.
missedCVELogLevel Set the log level for missed CVEs. Valid values: error, warn. Determines whether a core.error or a core.warning is raised when the ignore list contains CVE IDs that were not found in the scan results. Default value is error.
ignore_list List of CVE IDs to ignore.
⚠️ Note: The ignore_list can either be a multi-line string (like the example below) or a list (separated using commas or spaces) containing CVE IDs to be ignored.

Outputs

Output Description
total Total number of vulnerabilities detected.
critical Number of critical vulnerabilities detected.
high Number of high vulnerabilities detected.
medium Number of medium vulnerabilities detected.
low Number of low vulnerabilities detected.
informational Number of informational vulnerabilities detected.
unknown Number of unknown vulnerabilities detected.
findingsDetails Details of findings.

Required ECR permissions

To use this GitHub action in your workflow, your ECR role/user will need to have the following permissions:

  • ecr:DescribeImageScanFindings
  • ecr:StartImageScan (unless scan on push is enabled)

Example

This example builds a docker image, uploads it to AWS ECR, then scans it for vulnerabilities.

on:
  # Trigger on any GitHub release.
  # If you want to trigger on tag creation, use `create`. However, this also
  # fires for branch creation events which will break this example workflow.
  - release
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-west-2
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Build & Push Docker image
        id: docker-build
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: myorg/myimage
          # Use the git tag as the image tag.
          # github.ref format is like `refs/tags/v0.0.1`, so we strip the the
          # `refs/tags/` prefix and export this for later use.
          IMAGE_TAG: ${{ github.ref }}
        run: |
          tag=${IMAGE_TAG##refs/tags/}
          echo "Tag is $tag"
          echo "::set-output name=tag::$tag"
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$tag .
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$tag
      - name: Scan Docker image
        id: docker-scan
        uses: alexjurkiewicz/[email protected]
        with:
          repository: myorg/myimage
          tag: ${{ steps.docker-build.outputs.tag }}
          # fail_threshold: medium
          # ignore_list: |
          #   CVE-2014-7654321
          #   CVE-2014-456132
      # Access scan results in later steps
      - run: echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."

Development

This action is implemented as a Docker rather than a Javascript action because that would require committing node_modules to the repository.

You can test the action by running it locally like so:

docker build -t ecr-scan-image:dev .
docker run -t \
  -e INPUT_REPOSITORY=myorg/myapp \
  -e INPUT_TAG=test-tag \
  -e INPUT_FAIL_THRESHOLD=critical \
  -e AWS_ACCESS_KEY_ID=xxx \
  -e AWS_SECRET_ACCESS_KEY=xxx \
  -e AWS_REGION=xxx \
  ecr-scan-image:dev

About

Github Action to run AWS ECR vulnerability scan on Docker image

Resources

License

Stars

Watchers

Forks

Packages

No packages published