Scan an image uploaded to ECR and fail if vulnerabilities are found.
As of version 3.0.0, only enhanced scanning is supported. Basic scanning support has been removed from this version onwards. If you still need basic scanning support, please use version ^2.0.1. To enable enhanced scanning, check out the AWS documentation.
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: v1.2.3
fail_threshold: high| Input | Required? | Description |
|---|---|---|
| repository | ✅ | ECR repository, eg myorg/myimage |
| tag | ✅ | Image tag to scan |
| fail_threshold | Fail if any vulnerabilities equal to or over this severity level are detected. Valid values: critical, high, medium, low, informational. Default value is high. |
|
| missedCVELogLevel | Set the log level for missed CVEs. Valid values: error, warn. Determines whether a core.error or a core.warning is raised when the ignore list contains CVE IDs that were not found in the scan results. Default value is error. |
|
| ignore_list | List of CVE IDs to ignore.ignore_list can either be a multi-line string (like the example below) or a list (separated using commas or spaces) containing CVE IDs to be ignored. |
| Output | Description |
|---|---|
| total | Total number of vulnerabilities detected. |
| critical | Number of critical vulnerabilities detected. |
| high | Number of high vulnerabilities detected. |
| medium | Number of medium vulnerabilities detected. |
| low | Number of low vulnerabilities detected. |
| informational | Number of informational vulnerabilities detected. |
| unknown | Number of unknown vulnerabilities detected. |
| findingsDetails | Details of findings. |
To use this GitHub action in your workflow, your ECR role/user will need to have the following permissions:
ecr:DescribeImageScanFindingsecr:StartImageScan(unless scan on push is enabled)
This example builds a docker image, uploads it to AWS ECR, then scans it for vulnerabilities.
on:
# Trigger on any GitHub release.
# If you want to trigger on tag creation, use `create`. However, this also
# fires for branch creation events which will break this example workflow.
- release
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build & Push Docker image
id: docker-build
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: myorg/myimage
# Use the git tag as the image tag.
# github.ref format is like `refs/tags/v0.0.1`, so we strip the the
# `refs/tags/` prefix and export this for later use.
IMAGE_TAG: ${{ github.ref }}
run: |
tag=${IMAGE_TAG##refs/tags/}
echo "Tag is $tag"
echo "::set-output name=tag::$tag"
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$tag .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$tag
- name: Scan Docker image
id: docker-scan
uses: alexjurkiewicz/[email protected]
with:
repository: myorg/myimage
tag: ${{ steps.docker-build.outputs.tag }}
# fail_threshold: medium
# ignore_list: |
# CVE-2014-7654321
# CVE-2014-456132
# Access scan results in later steps
- run: echo "${{ steps.docker-scan.outputs.total }} total vulnerabilities."This action is implemented as a Docker rather than a Javascript action because that would require committing node_modules to the repository.
You can test the action by running it locally like so:
docker build -t ecr-scan-image:dev .
docker run -t \
-e INPUT_REPOSITORY=myorg/myapp \
-e INPUT_TAG=test-tag \
-e INPUT_FAIL_THRESHOLD=critical \
-e AWS_ACCESS_KEY_ID=xxx \
-e AWS_SECRET_ACCESS_KEY=xxx \
-e AWS_REGION=xxx \
ecr-scan-image:dev