Skip to content

Commit

Permalink
Enable ECR image scanning on cicd pipeline
Browse files Browse the repository at this point in the history
  • Loading branch information
MeghnaPrabhu authored and PettitWesley committed Oct 29, 2020
1 parent cdf7775 commit fe9ad29
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
1 change: 1 addition & 0 deletions buildspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ phases:
- architecture=$(docker inspect --format='{{.Architecture}}' amazon/aws-for-fluent-bit)
- docker tag amazon/aws-for-fluent-bit:latest ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:$architecture
- docker push ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:$architecture
- './scripts/publish.sh cicd-verify-ecr-image-scan ${AWS_REGION} amazon/aws-for-fluent-bit-test $architecture'

# Create manifest list
- export DOCKER_CLI_EXPERIMENTAL=enabled
Expand Down
24 changes: 23 additions & 1 deletion scripts/publish.sh
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ sync_latest_image() {
if [ "$IMAGE_SHA_MATCHED" = "FALSE" ]; then
aws ecr create-repository --repository-name aws-for-fluent-bit --image-scanning-configuration scanOnPush=true --region ${region} || true
push_image_ecr amazon/aws-for-fluent-bit:${arch}-${AWS_FOR_FLUENT_BIT_VERSION} \
${account_id}.dkr.ecr.${region}.${endpoint}/aws-for-fluent-bit:${arch}-${AWS_FOR_FLUENT_BIT_VERSION}
${account_id}.dkr.ecr.${region}.${endpoint}/aws-for-fluent-bit:${arch}-${AWS_FOR_FLUENT_BIT_VERSION}
fi
done

Expand Down Expand Up @@ -274,6 +274,24 @@ verify_ecr() {
verify_sha $sha1 $sha2
}

verify_ecr_image_scan() {
region=${1}
repo_uri=${2}
tag=${3}

imageTag=$(aws ecr list-images --repository-name ${repo_uri} --region ${region} | jq -r '.imageIds[].imageTag' | grep -c ${tag} || echo "0")
if [ "$imageTag" = '1' ]; then
aws ecr start-image-scan --repository-name ${repo_uri} --image-id imageTag=${tag} --region ${region}
aws ecr wait image-scan-complete --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag}
highVulnerabilityCount=$(aws ecr describe-image-scan-findings --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag} | jq '.imageScanFindings.findingSeverityCounts.HIGH')
criticalVulnerabilityCount=$(aws ecr describe-image-scan-findings --repository-name ${repo_uri} --region ${region} --image-id imageTag=${tag} | jq '.imageScanFindings.findingSeverityCounts.CRITICAL')
if [ "$highVulnerabilityCount" != null ] || [ "$criticalVulnerabilityCount" != null ]; then
echo "Uploaded image ${tag} has ${vulnerabilityCount} vulnerabilities."
exit 1
fi
fi
}

verify_dockerhub() {
# Get the image SHA's
sha1=$(docker pull amazon/aws-for-fluent-bit:latest | grep sha256: | cut -f 3 -d :)
Expand Down Expand Up @@ -552,4 +570,8 @@ if [ "${1}" = "cicd-verify-ssm" ]; then
verify_ssm ${region}
done
fi
fi

if [ "${1}" = "cicd-verify-ecr-image-scan" ]; then
verify_ecr_image_scan ${2} ${3} ${4}
fi

0 comments on commit fe9ad29

Please sign in to comment.