Enable ECR image scanning on cicd pipeline

aws · Sep 28, 2020 · 63f66bb · 63f66bb
1 parent a5b3d11
commit 63f66bb
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/buildspec.yml b/buildspec.yml
@@ -20,6 +20,7 @@ phases:
       - architecture=$(docker inspect --format='{{.Architecture}}'  amazon/aws-for-fluent-bit)
       - docker tag amazon/aws-for-fluent-bit:latest ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:$architecture
       - docker push ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:$architecture
+      - './scripts/publish.sh cicd-verify-ecr-image-scan ${AWS_REGION} amazon/aws-for-fluent-bit-test $architecture'
 
        # Create manifest list
       - export DOCKER_CLI_EXPERIMENTAL=enabled

diff --git a/scripts/publish.sh b/scripts/publish.sh
@@ -174,6 +174,9 @@ sync_latest_image() {
 			aws ecr create-repository --repository-name aws-for-fluent-bit --image-scanning-configuration scanOnPush=true --region ${region}  || true
 			push_image_ecr amazon/aws-for-fluent-bit:${arch}-${AWS_FOR_FLUENT_BIT_VERSION} \
 				${account_id}.dkr.ecr.${region}.${endpoint}/aws-for-fluent-bit:${arch}-${AWS_FOR_FLUENT_BIT_VERSION}
+
+			# Added verification for sanity check.
+			verify_ecr_image_scan ${region} aws-for-fluent-bit "$arch"-${AWS_FOR_FLUENT_BIT_VERSION} 
 		fi
 	done
 
@@ -239,6 +242,9 @@ publish_ecr() {
 	do
 		push_image_ecr ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"$arch" \
 			${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:"$arch"-${AWS_FOR_FLUENT_BIT_VERSION}
+
+		# Added verification for sanity check even though we are pushing the same image that we scanned in build stage.
+		verify_ecr_image_scan ${region} aws-for-fluent-bit "$arch"-${AWS_FOR_FLUENT_BIT_VERSION} 
 	done
 
 	create_manifest_list ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit ${AWS_FOR_FLUENT_BIT_VERSION}
@@ -271,6 +277,24 @@ verify_ecr() {
 	verify_sha $sha1 $sha2
 }
 
+verify_ecr_image_scan() {
+	region=${1}
+	repo_uri=${2}
+	tag=${3}
+
+	imageTag=$(aws ecr list-images  --repository-name ${repo_uri} --region ${region} | jq -r '.imageIds[].imageTag' | grep -c ${tag} || echo "0")
+	if [ "$imageTag" = '1' ]; then
+		aws ecr start-image-scan --repository-name ${repo_uri} --image-id imageTag=${tag} --region ${region}	
+		aws ecr wait image-scan-complete --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag}
+		highVulnerabilityCount=$(aws ecr describe-image-scan-findings --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag} | jq '.imageScanFindings.findingSeverityCounts.HIGH')
+		criticalVulnerabilityCount=$(aws ecr describe-image-scan-findings --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag} | jq '.imageScanFindings.findingSeverityCounts.CRITICAL')
+		if [ "$highVulnerabilityCount" != null ] || [ "$criticalVulnerabilityCount" != null ]; then
+			echo "Uploaded image ${tag} has ${vulnerabilityCount} vulnerabilities."
+			exit 1
+		fi	
+	fi
+}
+
 verify_dockerhub() {
 	# Get the image SHA's
 	sha1=$(docker pull amazon/aws-for-fluent-bit:latest | grep sha256: | cut -f 3 -d :)
@@ -549,4 +573,8 @@ if [ "${1}" = "cicd-verify-ssm" ]; then
 			verify_ssm ${region}
 		done
 	fi
+fi
+
+if [ "${1}" = "cicd-verify-ecr-image-scan" ]; then
+	verify_ecr_image_scan ${2} ${3} ${4}	
 fi