-
Notifications
You must be signed in to change notification settings - Fork 71
Expand file tree
/
Copy pathaction.yml
More file actions
33 lines (29 loc) · 1.25 KB
/
action.yml
File metadata and controls
33 lines (29 loc) · 1.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
name: image-scan
description: |
This action performs a scan of a provided (local or public ECR remote) image, using Trivy.
inputs:
image-ref:
required: true
description: "Reference for the image to be scanned"
severity:
required: true
description: "List of severities that will cause a failure"
runs:
using: "composite"
steps:
# Per https://docs.aws.amazon.com/AmazonECR/latest/public/docker-pull-ecr-image.html, it is possible to
# make unauthorized calls to get public ECR images (needed to build the ADOT Java docker image), but
# it can fail if you previously authenticated to a public repo. Adding this step to log out, so we
# ensure we can make unauthenticated call. This is important for making the pr_build workflow run on
# PRs created from forked repos.
- name: Logout of public AWS ECR
shell: bash
run: docker logout public.ecr.aws
- name: Run Trivy vulnerability scanner on image
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
with:
image-ref: ${{ inputs.image-ref }}
severity: ${{ inputs.severity }}
exit-code: '1'