Skip to content

Commit 8d9980a

Browse files
anthony-nhsanthony-nhs
committed
check scan result properly
1 parent 5156421 commit 8d9980a

File tree

1 file changed

+22
-8
lines changed

1 file changed

+22
-8
lines changed

.github/scripts/check_ecr_image_scan_results.sh

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
#!/bin/bash
1+
#!/usr/bin/env bash
2+
set -e
23

34
if [ -z "${REPOSITORY_NAME}" ]; then
45
echo "REPOSITORY_NAME not set"
@@ -17,12 +18,14 @@ function wait_for_scan() {
1718
echo "SCAN IS NOT YET COMPLETE..."
1819
sleep 3
1920
done
21+
echo "Final sleep to ensure suppressions are applied correctly"
22+
sleep 5
2023
}
2124

2225
function check_for_high_critical_vuln() {
2326
scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}")
24-
high=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.HIGH)
25-
critical=$(echo "$scan_results" | jq .imageScanFindings.findingSeverityCounts.CRITICAL)
27+
high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")')
28+
critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")')
2629
}
2730

2831
function return_scan_results() {
@@ -35,20 +38,31 @@ function return_error() {
3538
echo -e "\n**********************************************************"
3639
echo "**********************************************************"
3740
echo "**********************************************************"
38-
echo "ERROR: There are CRITICAL/HIGH vulnerabilties. Stopping build."
41+
echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build."
3942
echo "**********************************************************"
4043
echo "**********************************************************"
4144
echo "**********************************************************"
4245
exit 2
4346
}
4447

4548
function analyze_scan_results() {
46-
if [[ $critical -gt 0 ]]; then
47-
echo "ERROR: There are CRITICAL vulnerabilties. Stopping build."
49+
if [[ -n "$critical" ]]; then
50+
echo "ERROR: There are CRITICAL vulnerabilities. Stopping build."
51+
52+
echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ==="
53+
echo "$critical"
54+
echo "=== END CRITICAL IMAGE SCAN RESULTS ==="
55+
4856
return_scan_results
57+
4958
return_error
50-
elif [[ $high -gt 0 ]]; then
51-
echo "ERROR: There are HIGH vulnerabilties. Stopping build."
59+
elif [[ -n "$high" ]]; then
60+
echo "ERROR: There are HIGH vulnerabilities. Stopping build."
61+
62+
echo "=== BEGIN HIGH IMAGE SCAN RESULTS ==="
63+
echo "$high"
64+
echo "=== END HIGH IMAGE SCAN RESULTS ==="
65+
5266
return_scan_results
5367
return_error
5468
else

0 commit comments

Comments
 (0)