From 0b727a065fe5aaf101c17c1312649e88dd4530cc Mon Sep 17 00:00:00 2001 From: Steve Liu Date: Tue, 12 Aug 2025 15:56:11 -0700 Subject: [PATCH 1/2] add loging to image scan workflow --- .github/actions/image_scan/action.yml | 4 ++++ .github/workflows/owasp.yml | 15 +++++++++++++++ .github/workflows/pr-build.yml | 1 + 3 files changed, 20 insertions(+) diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml index eb19f78609..3223662313 100644 --- a/.github/actions/image_scan/action.yml +++ b/.github/actions/image_scan/action.yml @@ -11,6 +11,9 @@ inputs: severity: required: true description: "List of severities that will cause a failure" + logout: + required: true + description: "Whether to logout of public AWS ECR" runs: using: "composite" @@ -22,6 +25,7 @@ runs: # ensure we can make unauthenticated call. This is important for making the pr_build workflow run on # PRs created from forked repos. - name: Logout of public AWS ECR + if: inputs.logout == 'true' shell: bash run: docker logout public.ecr.aws diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml index 54ce812326..2a84530ce1 100644 --- a/.github/workflows/owasp.yml +++ b/.github/workflows/owasp.yml @@ -76,6 +76,17 @@ jobs: if: ${{ steps.dep_scan.outcome != 'success' }} run: less dependency-check-report.html + - name: Configure AWS credentials for image scan + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }} + aws-region: ${{ env.AWS_DEFAULT_REGION }} + + - name: Login to Public ECR + uses: docker/login-action@v3 + with: + registry: public.ecr.aws + - name: Perform high image scan on v1 if: always() id: high_scan_v1 @@ -83,6 +94,7 @@ jobs: with: image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0" severity: 'CRITICAL,HIGH' + logout: 'false' - name: Perform low image scan on v1 if: always() @@ -91,6 +103,7 @@ jobs: with: image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v1.33.0" severity: 'MEDIUM,LOW,UNKNOWN' + logout: 'false' - name: Perform high image scan on v2 if: always() @@ -99,6 +112,7 @@ jobs: with: image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1" severity: 'CRITICAL,HIGH' + logout: 'false' - name: Perform low image scan on v2 if: always() @@ -107,6 +121,7 @@ jobs: with: image-ref: "public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v2.11.1" severity: 'MEDIUM,LOW,UNKNOWN' + logout: 'false' - name: Configure AWS Credentials for emitting metrics if: always() diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 1c4e5f9810..9db324aad2 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -147,6 +147,7 @@ jobs: with: image-ref: ${{ env.TEST_TAG }} severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + logout: 'true' - name: Test docker image if: ${{ matrix.os == 'ubuntu-latest' }} From b1fa64815a4e28c63ab872e0f69bb76d5a051a0e Mon Sep 17 00:00:00 2001 From: Steve Liu Date: Wed, 13 Aug 2025 09:06:09 -0700 Subject: [PATCH 2/2] add more detailed description for logout variable --- .github/actions/image_scan/action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml index 3223662313..7a98a5906a 100644 --- a/.github/actions/image_scan/action.yml +++ b/.github/actions/image_scan/action.yml @@ -13,7 +13,9 @@ inputs: description: "List of severities that will cause a failure" logout: required: true - description: "Whether to logout of public AWS ECR" + description: | + Whether to logout of public AWS ECR. Set to 'true' for PR workflows to avoid potential call failures, + 'false' for daily scans which has a higher bar for passing regularly and specifically wants to sign in. runs: using: "composite"