add:script,action file & readme for ecr-scan

Author: Ujjwal048

README.md

@@ -0,0 +1,69 @@
+# ECR Image Scanning GitHub Action
+
+This GitHub Action automatically scans an ECR (Elastic Container Registry) image when it is pushed to the repository. It utilizes the AWS CLI and ECR scanning capabilities to perform the scan and provide a scan report.
+
+## Pre-requisites
+
+To use this action, ensure that you have the AWS CLI installed and properly configured in your runner environment. Additionally, make sure you provide the required AWS credentials with the necessary permissions to access and scan the ECR image..
+
+
+## Description
+
+This action utilizes a shell script executed within a Docker container to identify critical and high-level vulnerabilities linked to an image being pushed to the ECR repository.
+## Usage
+```
+name: Push to ECR
+
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  Build-Push-Scan-Image:
+    runs-on: ubuntu-latest 
+    steps:
+    - name: Scan Docker image
+      id: docker-scan
+      uses: Ujjwal048/action-ecr-image-scan@main
+      env:
+        ECR_REPOSITORY: apparel-backend
+        IMAGE_TAG:  	${{ github.sha }}
+      with:
+        ecr_repository: ${{ env.ECR_REPOSITORY }}
+        image_tag: ${{ env.IMAGE_TAG }}
+        pr_comment: true
+        github_token: ${{ secrets.GITHUB_TOKEN }} 
+        url: ${{ github.event.pull_request.comments_url }}
+        aws_region: ap-south-1    
+    - name: Fail workflow if vulnerabilities found
+      env:
+        vulnerability: ${{ steps.docker-scan.outputs.VULNERABILITY }}  
+        block_build_on_failure: true               
+      run:  | 
+        if [ "${{env.block_build_on_failure }}" = true && "${{ env.vulnerability }}" = true ]; then
+        exit 1
+        fi
+```
+## Input
+
+   - aws-region (required): The AWS region where your ECR repository is located.
+   - ecr_repository (required): The name of your ECR repository.
+   - image_tag (required): Tag of the image being pushed
+   - pr_comment (required): true/false   
+   - github_token (required): For updating th PR comment with scan result
+   - url (required): URL for calling the POST request to update PR
+
+## Output
+
+After the scan is completed, this action will produce the scan results and provide a link to the scan report. The scan report and the detailed report URL in the AWS console will be included as comments in the pull request and displayed in the GitHub step summary for easy access and visibility.
+### Parameters passed as ouput
+     
+  - VULNERABILITY : If vulnerabilities are detected or not
+
+
+## Sample Output
+#### Github PR comment
+![Github PR Comment](outputs/github-pr-output.png)
+
+#### Github Summary Report
+![Github Summary](outputs/github-summary-output.png)

action.yml

@@ -0,0 +1,36 @@
+name: "Scan Docker Images On Push to ECR"
+description: "Scans for container image vulnerabilities when an image is pushed to ECR"
+inputs:
+  ecr_repository:
+    description: "Name of the ECR repository"
+    required: true
+  image_tag:
+    description: "ECR Image tag"
+    required: true
+  pr_comment:
+    description: "Whether to comment the result on PR"
+    required: true
+  github_token:
+    description: "Github token for updating PR"
+    required: true 
+  url:
+    description: "URL for calling POST request for updating PR"
+    required: true  
+  aws_region: 
+    description: "AWS region"
+    required: true    
+runs:
+  using: "docker"
+  image: "Dockerfile"
+  args:
+    - ${{ inputs.ecr_repository }}
+    - ${{ inputs.image_tag }}
+    - ${{ inputs.pr_comment }}
+    - ${{ inputs.github_token }}
+    - ${{ inputs.url }} 
+    - ${{ inputs.aws_region }}       
+outputs:
+  VULNERABILITY: 
+    description: 'If vulnerabilities are detected or not'      
+          
+    

entrypoint.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -e
+REPO_NAME=$INPUT_ECR_REPOSITORY
+IMAGE_TAG=$INPUT_IMAGE_TAG
+URL=$INPUT_URL
+GITHUB_TOKEN=$INPUT_GITHUB_TOKEN
+PR_COMMENT=$INPUT_PR_COMMENT
+REGION=$INPUT_AWS_REGION
+
+aws configure list >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+    aws ecr start-image-scan --repository-name $REPO_NAME --image-id imageTag=$IMAGE_TAG
+    aws ecr wait image-scan-complete --repository-name $REPO_NAME --image-id imageTag=$IMAGE_TAG
+    if [ $(echo $?) -eq 0 ]; then
+        SCAN_FINDINGS=$(aws ecr describe-image-scan-findings --repository-name $REPO_NAME --image-id imageTag=$IMAGE_TAG | jq '.imageScanFindings.findingSeverityCounts')
+        CRITICAL=$(echo $SCAN_FINDINGS | jq '.CRITICAL // 0')
+        HIGH=$(echo $SCAN_FINDINGS | jq '.HIGH // 0')
+
+        ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
+        IMAGE_DIGEST=$(aws ecr describe-images --repository-name $REPO_NAME --image-ids imageTag=$IMAGE_TAG --query 'imageDetails[].imageDigest' --output text)
+        REPORT_URL="$(echo "https://$REGION.console.aws.amazon.com/ecr/repositories/private/$ACCOUNT_ID/$REPO_NAME/_/image/$IMAGE_DIGEST/scan-results?region=$REGION")"
+        SCAN_RESULT="$(echo "Found $CRITICAL CRITICAL and $HIGH HIGH level vulnerabilities in Docker image")"
+
+        if [[ $PR_COMMENT == true ]]; then
+         curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $GITHUB_TOKEN" "$URL" -d "{ \"body\": \"Docker Image Scan Output \\n >$SCAN_RESULT \\n For detailed scan report <a href=\\\"$REPORT_URL\\\"> Click here </a>\" }"
+        fi
+        
+        if [[  $CRITICAL != 0 || $HIGH != 0 ]]; then
+            VULNERABILITY=true
+        fi
+    fi
+    HYPERLINK_URL="[Click here]($REPORT_URL)"
+    echo "VULNERABILITY=$VULNERABILITY" >> $GITHUB_OUTPUT
+    echo "$SCAN_RESULT" >> $GITHUB_STEP_SUMMARY    
+    echo "Detailed Scan Report - $HYPERLINK_URL" >> $GITHUB_STEP_SUMMARY  
+  
+else
+    echo "AWS CLI is not configured."
+    exit 1
+fi
+
+
+