Skip to content
Docker vulnerability scan

Docker vulnerability scan #738

Sign in to view logs

Docker vulnerability scan

Docker vulnerability scan #738

Workflow file for this run

.github/workflows/docker-vulnerability-scan.yml at c33bc24
name: Docker vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "0 4 * * *"
permissions:
id-token: write
security-events: write
env:
DOCKER_SLUG: 239043911459.dkr.ecr.ca-central-1.amazonaws.com
jobs:
docker-vulnerability-scan:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- lambda: blazer
image: database-tools/blazer
- lambda: google-cidr
image: lambda/google-cidr
- lambda: heartbeat
image: notify/heartbeat
- lambda: sesemailcallbacks
image: notify/ses_to_sqs_email_callbacks
- lambda: sesreceivingemails
image: notify/ses_receiving_emails
- lambda: snssmscallbacks
image: notify/sns_to_sqs_sms_callbacks
# TODO need an image uploaded for this to work
# - lambda: pinpointsmscallbacks
# image: notify/pinpoint_to_sqs_sms_callbacks
- lambda: system_status
image: notify/system_status
steps:
- name: Staging AWS credentials
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # tag=v1.7.0
with:
role-to-assume: arn:aws:iam::239043911459:role/notification-lambdas-apply
role-session-name: ECRPush
aws-region: ca-central-1
- name: Staging ECR login
id: staging-ecr
uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
- name: Docker vulnerability scan
uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
TRIVY_JAVA_DB_REPOSITORY: ${{ vars.TRIVY_JAVA_DB_REPOSITORY }}
with:
docker_image: "${{ env.DOCKER_SLUG }}/${{ matrix.image }}:latest"
dockerfile_path: "${{ matrix.lambda }}/Dockerfile"
token: "${{ secrets.GITHUB_TOKEN }}"
- name: Staging ECR logout
run: docker logout ${{ steps.staging-ecr.outputs.registry }}