.github/workflows/trivyImage.yml

name: Trivy scan ECR
on:
  push:
    branches:
      - main
  pull_request:
jobs:
  prepare:
    runs-on: ubuntu-20.04
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: List repositories and get most recent image of each
        run: |
          registry_id="400406844298"
          region="eu-north-1"
          # List all repositories in the ECR registry
          repositories=$(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text)
          images=""
          for repository in $repositories; do
            # Get the most recent image tag from the repository
            most_recent_image_tag=$(aws ecr describe-images --repository-name $repository --query 'sort_by(imageDetails,&imagePushedAt)[-1].imageTags[0]' --output text)
            if [ "$most_recent_image_tag" != "None" ]; then
              images="$images\"$registry_id.dkr.ecr.$region.amazonaws.com/$repository:$most_recent_image_tag\","
            fi
          done
          echo "IMAGE_MATRIX={\"image\": [$images]}" >> $GITHUB_ENV 
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: eu-north-1

      - name: Set matrix
        run: echo "matrix=$IMAGE_MATRIX" >> $GITHUB_OUTPUT
        id: set-matrix

  scan:
    needs: prepare
    runs-on: ubuntu-20.04
    permissions:
      security-events: write
      actions: read
      contents: read
    strategy:
      matrix:
        image: ${{fromJson(needs.prepare.outputs.matrix).image }}
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ matrix.image }}
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: eu-north-1

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'