You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
GitHub Action
AWS ECR Scan Docker Image
v1.7.0
Scan an image uploaded to ECR and fail if vulnerabilities are found.
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: v1.2.3
fail_threshold: high
Input | Required? | Description |
---|---|---|
repository | ✅ | ECR repository, eg myorg/myimage |
tag | ✅ | Image tag to scan |
fail_threshold | Fail if any vulnerabilities equal to or over this severity level are detected. Valid values: critical, high, medium, low, informational. Default value is high. | |
ignore_list | List of CVE IDs to ignore.ignore_list can either be a multi-line string (like the example below) or a list (separated using commas or spaces) containing CVE IDs to be ignored. |
Output | Description |
---|---|
total | Total number of vulnerabilities detected. |
critical | Number of critical vulnerabilities detected. |
high | Number of high vulnerabilities detected. |
medium | Number of medium vulnerabilities detected. |
low | Number of low vulnerabilities detected. |
informational | Number of informational vulnerabilities detected. |
unknown | Number of unknown vulnerabilities detected. |
To use this GitHub action in your workflow, your ECR role/user will need to have the following permissions:
ecr:DescribeImageScanFindings
ecr:StartImageScan
(unless scan on push is enabled)
This example builds a docker image, uploads it to AWS ECR, then scans it for vulnerabilities.
on:
# Trigger on any GitHub release.
# If you want to trigger on tag creation, use `create`. However, this also
# fires for branch creation events which will break this example workflow.
- release
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build & Push Docker image
id: docker-build
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: myorg/myimage
# Use the git tag as the image tag.
# github.ref format is like `refs/tags/v0.0.1`, so we strip the the
# `refs/tags/` prefix and export this for later use.
IMAGE_TAG: ${{ github.ref }}
run: |
tag=${IMAGE_TAG##refs/tags/}
echo "Tag is $tag"
echo "::set-output name=tag::$tag"
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$tag .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$tag
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: ${{ steps.docker-build.outputs.tag }}
# fail_threshold: medium
# ignore_list: |
# CVE-2014-7654321
# CVE-2014-456132
# Access scan results in later steps
- run: echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."
This action is implemented as a Docker rather than a Javascript action because that would require committing node_modules to the repository.
You can test the action by running it locally like so:
docker build -t ecr-scan-image:dev .
docker run -t \
-e INPUT_REPOSITORY=myorg/myapp \
-e INPUT_TAG=test-tag \
-e INPUT_FAIL_THRESHOLD=critical \
-e AWS_ACCESS_KEY_ID=xxx \
-e AWS_SECRET_ACCESS_KEY=xxx \
-e AWS_REGION=xxx \
ecr-scan-image:dev