Skip to content

Commit e5c1201

Browse files
author
Suma Kasa
committed
Use inspector API to check for vulnerabilities
1 parent 1557718 commit e5c1201

File tree

1 file changed

+20
-31
lines changed

1 file changed

+20
-31
lines changed

.github/workflows/docker-nightly-publish.yml

Lines changed: 20 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -180,50 +180,39 @@ jobs:
180180
fi
181181
IMAGE_TAG="$SERVING_VERSION-${{ matrix.arch }}${NIGHTLY}"
182182
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_OUTPUT
183-
- name: Start ECR scan
183+
- name: Get image digest
184+
id: get-digest
184185
run: |
185-
aws ecr start-image-scan \
186+
DIGEST=$(aws ecr describe-images \
186187
--repository-name djl-ci-temp \
187-
--image-id imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
188-
--region us-east-1
189-
- name: Wait for scan and check results
188+
--image-ids imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
189+
--region us-east-1 \
190+
--query 'imageDetails[0].imageDigest' \
191+
--output text)
192+
echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
193+
- name: Check Inspector findings
190194
run: |
191-
echo "Waiting for scan to complete..."
192-
for i in {1..30}; do
193-
SCAN_STATUS=$(aws ecr describe-image-scan-findings \
194-
--repository-name djl-ci-temp \
195-
--image-id imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
196-
--region us-east-1 \
197-
--query 'imageScanStatus.status' \
198-
--output text 2>/dev/null || echo "IN_PROGRESS")
199-
200-
if [ "$SCAN_STATUS" = "COMPLETE" ]; then
201-
break
202-
fi
203-
echo "Scan status: $SCAN_STATUS (attempt $i/30)"
204-
sleep 10
205-
done
195+
REPO_URI="185921645874.dkr.ecr.us-east-1.amazonaws.com/djl-ci-temp"
196+
RESOURCE_ID="${REPO_URI}@${{ steps.get-digest.outputs.DIGEST }}"
206197
207-
if [ "$SCAN_STATUS" != "COMPLETE" ]; then
208-
echo "ERROR: Scan did not complete in time"
209-
exit 1
210-
fi
198+
echo "Checking vulnerabilities for: $RESOURCE_ID"
199+
sleep 30
211200
212-
FINDINGS=$(aws ecr describe-image-scan-findings \
213-
--repository-name djl-ci-temp \
214-
--image-id imageTag=${{ steps.get-tag.outputs.IMAGE_TAG }} \
215-
--region us-east-1)
201+
FINDINGS=$(aws inspector2 list-findings \
202+
--filter-criteria '{"ecrImageHash":[{"comparison":"EQUALS","value":"${{ steps.get-digest.outputs.DIGEST }}"}]}' \
203+
--region us-east-1 \
204+
--output json)
216205
217-
HIGH=$(echo "$FINDINGS" | jq -r '.imageScanFindings.findingSeverityCounts.HIGH // 0')
218-
CRITICAL=$(echo "$FINDINGS" | jq -r '.imageScanFindings.findingSeverityCounts.CRITICAL // 0')
206+
HIGH=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="HIGH")] | length')
207+
CRITICAL=$(echo "$FINDINGS" | jq '[.findings[] | select(.severity=="CRITICAL")] | length')
219208
220209
echo "Scan Results for ${{ matrix.arch }}:"
221210
echo "HIGH: $HIGH"
222211
echo "CRITICAL: $CRITICAL"
223212
224213
if [ "$HIGH" -gt 0 ] || [ "$CRITICAL" -gt 0 ]; then
225214
echo "ERROR: Found HIGH or CRITICAL vulnerabilities"
226-
echo "$FINDINGS" | jq '.imageScanFindings'
215+
echo "$FINDINGS" | jq '.findings[] | select(.severity=="HIGH" or .severity=="CRITICAL") | {title, severity, description}'
227216
exit 1
228217
fi
229218

0 commit comments

Comments
 (0)