-
Notifications
You must be signed in to change notification settings - Fork 19
105 lines (88 loc) · 3.81 KB
/
amazon-cloudwatch-observability-image-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Run Image Scan for Amazon CloudWatch Observability Helm Chart
on:
schedule:
- cron: 0 13 * * MON # Every Monday at 1PM UTC (9AM EST)
workflow_dispatch:
permissions:
id-token: write
contents: read
env:
TERRAFORM_AWS_ASSUME_ROLE: ${{ secrets.TERRAFORM_AWS_ASSUME_ROLE }}
AWS_DEFAULT_REGION: us-west-2
jobs:
ContainerImageScan:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
container_images:
- registry: ".manager.image.repositoryDomainMap.public"
repository: ".manager.image.repository"
tag: ".manager.image.tag"
- registry: ".manager.autoInstrumentationImage.java.repositoryDomain"
repository: ".manager.autoInstrumentationImage.java.repository"
tag: ".manager.autoInstrumentationImage.java.tag"
- registry: ".manager.autoInstrumentationImage.python.repositoryDomain"
repository: ".manager.autoInstrumentationImage.python.repository"
tag: ".manager.autoInstrumentationImage.python.tag"
- registry: ".manager.autoInstrumentationImage.dotnet.repositoryDomain"
repository: ".manager.autoInstrumentationImage.dotnet.repository"
tag: ".manager.autoInstrumentationImage.dotnet.tag"
- registry: ".manager.autoInstrumentationImage.nodejs.repositoryDomain"
repository: ".manager.autoInstrumentationImage.nodejs.repository"
tag: ".manager.autoInstrumentationImage.nodejs.tag"
- registry: ".agent.image.repositoryDomainMap.public"
repository: ".agent.image.repository"
tag: ".agent.image.tag"
- registry: ".dcgmExporter.image.repositoryDomainMap.public"
repository: ".dcgmExporter.image.repository"
tag: ".dcgmExporter.image.tag"
- registry: ".neuronMonitor.image.repositoryDomainMap.public"
repository: ".neuronMonitor.image.repository"
tag: ".neuronMonitor.image.tag"
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ env.TERRAFORM_AWS_ASSUME_ROLE }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: "Get image registry"
id: registry
uses: mikefarah/yq@master
with:
cmd: yq '${{ matrix.container_images.registry }}' charts/amazon-cloudwatch-observability/values.yaml
- name: "Get image repository"
id: repository
uses: mikefarah/yq@master
with:
cmd: yq '${{ matrix.container_images.repository }}' charts/amazon-cloudwatch-observability/values.yaml
- name: "Get image tag"
id: tag
uses: mikefarah/yq@master
with:
cmd: yq '${{ matrix.container_images.tag }}' charts/amazon-cloudwatch-observability/values.yaml
- name: "Scan for vulnerabilities"
id: scan
uses: crazy-max/ghaction-container-scan@v3
with:
image: ${{ steps.registry.outputs.result }}/${{ steps.repository.outputs.result }}:${{ steps.tag.outputs.result }}
severity_threshold: HIGH
annotations: true
# from https://stackoverflow.com/questions/61919141/read-json-file-in-github-actions
- run: echo "SCAN_RESULT=$(jq -sc . ${{ steps.scan.outputs.json }})" >> $GITHUB_ENV
if: success() || failure()
- if: success() || failure()
run: |
echo '${{ env.SCAN_RESULT }}'
- name: Send a saved artifact to a Slack workflow
if: success() || failure()
uses: slackapi/[email protected]
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
webhook-type: webhook-trigger
payload: |
results: >-
${{ env.SCAN_RESULT }}