Docker vulnerability scan #679

Workflow file for this run

.github/workflows/docker-vulnerability-scan.yml at 2d6f4a3

	name: Docker vulnerability scan

	on:
	workflow_dispatch:
	schedule:
	- cron: "0 4 * * *"

	env:
	AWS_REGION: ca-central-1
	ECR_REGISTRY: 729164266357.dkr.ecr.ca-central-1.amazonaws.com

	permissions:
	id-token: write
	contents: write
	security-events: write

	jobs:
	docker-vulnerability-scan:
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	include:
	- image: platform/apache
	path: wordpress/docker/apache/Dockerfile

	- image: platform/wordpress
	path: wordpress/docker/Dockerfile

	steps:
	- name: Configure AWS credentials using OIDC
	uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	with:
	role-to-assume: arn:aws:iam::729164266357:role/gc-articles-plan
	role-session-name: ECRPull
	aws-region: ${{ env.AWS_REGION }}

	- name: Login to ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

	- name: Get latest Docker image tag
	run: \|
	IMAGE_TAG="$(aws ecr describe-images --output json --repository-name ${{ matrix.image }} --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' \| jq . --raw-output)"
	echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

	- name: Docker vulnerability scan Wordpress
	uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
	env:
	TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
	with:
	docker_image: "${{ env.ECR_REGISTRY }}/${{ matrix.image }}:${{ env.IMAGE_TAG }}"
	dockerfile_path: "${{ matrix.path }}"
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Logout of Amazon ECR
	run: docker logout ${{ steps.login-ecr.outputs.registry }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Docker vulnerability scan #679

Workflow file

Docker vulnerability scan #679

Jobs

Run details

Workflow file for this run