forked from paavan98pm/container-app-security-cicd
-
Notifications
You must be signed in to change notification settings - Fork 1
115 lines (101 loc) · 3.95 KB
/
deploytoaws.yml
File metadata and controls
115 lines (101 loc) · 3.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
on:
push:
branches:
- main
name: Scan and CD
jobs:
scan:
name: Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: build local container
uses: docker/build-push-action@v2
with:
tags: scannning-image:latest
push: false
load: true
- name: sarif-scan
id: sarif-scan
uses: anchore/scan-action@v3
with:
image: scannning-image:latest
fail-build: false
severity-cutoff: critical
acs-report-enable: true
- name: Inspect SARIF report
run: cat ${{ steps.sarif-scan.outputs.sarif }}
- name: upload SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.sarif-scan.outputs.sarif }}
deploy:
needs: scan
name: Deploy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: con317/app
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and
# push it to ECR so that it can
# be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Check ECR image scan results for HIGH/CRITICAL vulnerabilities
id: ecr-scan-status
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: con317/app-repo
IMAGE_TAG: ${{ github.sha }}
run: |
# Check the status of the ECR scan
echo $ECR_REGISTRY
echo $ECR_REPOSITORY
echo $IMAGE_TAG
CURRENT_STATUS=$(aws ecr describe-image-scan-findings --repository-name con317/app --image-id imageTag=$IMAGE_TAG | jq -r .imageScanStatus.status)
echo "Current ECR scan status is: $CURRENT_STATUS"
while [ "${CURRENT_STATUS^^}" != "COMPLETE" ];
do sleep 3;
CURRENT_STATUS=$(aws ecr describe-image-scan-findings --repository-name con317/app --image-id imageTag=$IMAGE_TAG | jq -r .imageScanStatus.status)
done;
echo "Current ECR scan status is: $CURRENT_STATUS"
HIGH_VULNERABILITIES=$(aws ecr describe-image-scan-findings --repository-name con317/app --image-id imageTag=$IMAGE_TAG | jq -r .imageScanFindings.findingSeverityCounts.HIGH)
echo "HIGH_VULNERABILITIES: $HIGH_VULNERABILITIES"
CRITICAL_VULNERABILITIES=$(aws ecr describe-image-scan-findings --repository-name con317/app --image-id imageTag=$IMAGE_TAG | jq -r .imageScanFindings.findingSeverityCounts.CRITICAL)
echo "CRITICAL_VULNERABILITIES: $CRITICAL_VULNERABILITIES"
if [[ $HIGH_VULNERABILITIES -gt 0 || $CRITICAL_VULNERABILITIES -gt 0 ]];
then echo "ECR scan results have high or critical vulnerabilities. Cancelling deploy.";
exit 1;
fi
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: .aws/task-definition.json
container-name: con317
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: con317
cluster: con317
wait-for-service-stability: true