Run Image Scan for Amazon CloudWatch Observability Helm Chart

Run Image Scan for Amazon CloudWatch Observability Helm Chart #83

Workflow file for this run

.github/workflows/amazon-cloudwatch-observability-image-scan.yaml at 50245a7

	name: Run Image Scan for Amazon CloudWatch Observability Helm Chart

	on:
	schedule:
	- cron: 0 13 * * MON # Every Monday at 1PM UTC (9AM EST)
	workflow_dispatch:

	permissions:
	id-token: write
	contents: read

	env:
	TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
	AWS_DEFAULT_REGION: us-west-2

	jobs:
	ContainerImageScan:
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	container_images:
	- registry: ".manager.image.repositoryDomainMap.public"
	repository: ".manager.image.repository"
	tag: ".manager.image.tag"

	- registry: ".manager.autoInstrumentationImage.java.repositoryDomain"
	repository: ".manager.autoInstrumentationImage.java.repository"
	tag: ".manager.autoInstrumentationImage.java.tag"

	- registry: ".manager.autoInstrumentationImage.python.repositoryDomain"
	repository: ".manager.autoInstrumentationImage.python.repository"
	tag: ".manager.autoInstrumentationImage.python.tag"

	- registry: ".manager.autoInstrumentationImage.dotnet.repositoryDomain"
	repository: ".manager.autoInstrumentationImage.dotnet.repository"
	tag: ".manager.autoInstrumentationImage.dotnet.tag"

	- registry: ".manager.autoInstrumentationImage.nodejs.repositoryDomain"
	repository: ".manager.autoInstrumentationImage.nodejs.repository"
	tag: ".manager.autoInstrumentationImage.nodejs.tag"

	- registry: ".agent.image.repositoryDomainMap.public"
	repository: ".agent.image.repository"
	tag: ".agent.image.tag"

	- registry: ".dcgmExporter.image.repositoryDomainMap.public"
	repository: ".dcgmExporter.image.repository"
	tag: ".dcgmExporter.image.tag"

	- registry: ".neuronMonitor.image.repositoryDomainMap.public"
	repository: ".neuronMonitor.image.repository"
	tag: ".neuronMonitor.image.tag"

	steps:
	- uses: actions/checkout@v3
	with:
	fetch-depth: 0

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }}
	aws-region: ${{ env.AWS_DEFAULT_REGION }}

	- name: "Get image registry"
	id: registry
	uses: mikefarah/yq@master
	with:
	cmd: yq '${{ matrix.container_images.registry }}' charts/amazon-cloudwatch-observability/values.yaml

	- name: "Get image repository"
	id: repository
	uses: mikefarah/yq@master
	with:
	cmd: yq '${{ matrix.container_images.repository }}' charts/amazon-cloudwatch-observability/values.yaml

	- name: "Get image tag"
	id: tag
	uses: mikefarah/yq@master
	with:
	cmd: yq '${{ matrix.container_images.tag }}' charts/amazon-cloudwatch-observability/values.yaml

	- name: "Scan for vulnerabilities"
	id: scan
	uses: crazy-max/ghaction-container-scan@v3
	with:
	image: ${{ steps.registry.outputs.result }}/${{ steps.repository.outputs.result }}:${{ steps.tag.outputs.result }}
	severity_threshold: HIGH
	annotations: true
	- run: cat ${{ steps.scan.outputs.json }}
	if: success() \|\| failure()
	# from https://stackoverflow.com/questions/61919141/read-json-file-in-github-actions
	- run: \|
	SCAN_RESULT=$(jq -cr '"\(.ArtifactName): " + (.Results \| .[] \| select(.Vulnerabilities != null) \| .Vulnerabilities \| map(.VulnerabilityID) \| join(", "))' ${{ steps.scan.outputs.json }} \| cut -c -2999)
	echo "SCAN_RESULT<<EOF" >> $GITHUB_ENV
	echo "$SCAN_RESULT" >> $GITHUB_ENV
	echo "EOF" >> $GITHUB_ENV
	if: success() \|\| failure()
	- if: success() \|\| failure()
	run: \|
	echo '${{ env.SCAN_RESULT }}'
	- name: Send a saved artifact to a Slack workflow
	if: success() \|\| failure()
	run: \|
	curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \
	-H "Content-Type: application/json" \
	-d '{"results": "${{ env.SCAN_RESULT }}"}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Run Image Scan for Amazon CloudWatch Observability Helm Chart #83

Workflow file

Run Image Scan for Amazon CloudWatch Observability Helm Chart #83

Jobs

Run details

Workflow file for this run