Skip to content
Trivy scan ECR

Update Dockerfile #156

Sign in to view logs

Update Dockerfile

Update Dockerfile #156

Workflow file for this run

.github/workflows/trivyImage.yml at 50e39cb
name: Trivy scan ECR
on:
push:
branches:
- main
pull_request:
jobs:
prepare:
runs-on: ubuntu-20.04
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: List repositories and get most recent image of each
run: |
registry_id="400406844298"
region="eu-north-1"
# List all repositories in the ECR registry
repositories=$(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text)
images=""
for repository in $repositories; do
# Get the most recent image tag from the repository
most_recent_image_tag=$(aws ecr describe-images --repository-name $repository --query 'sort_by(imageDetails,&imagePushedAt)[-1].imageTags[0]' --output text)
if [ "$most_recent_image_tag" != "None" ]; then
images="$images\"$registry_id.dkr.ecr.$region.amazonaws.com/$repository:$most_recent_image_tag\","
fi
done
echo "IMAGE_MATRIX={\"image\": [$images]}" >> $GITHUB_ENV
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-north-1
- name: Set matrix
run: echo "matrix=$IMAGE_MATRIX" >> $GITHUB_OUTPUT
id: set-matrix
scan:
needs: prepare
runs-on: ubuntu-20.04
permissions:
security-events: write
actions: read
contents: read
strategy:
matrix:
image: ${{fromJson(needs.prepare.outputs.matrix).image }}
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ matrix.image }}
format: 'sarif'
output: 'trivy-results.sarif'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-north-1
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'