(feat) add container scanning to PR's

overmindtech · Sep 16, 2024 · 256131d · 256131d
1 parent 6c64366
commit 256131d
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml
@@ -1,5 +1,11 @@
 name: Test & Build
 on: push
+
+# this is for container scanning with aws inspector
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   test:
     name: Test
@@ -34,6 +40,30 @@ jobs:
       - name: Test
         run: go test ./...
 
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: "build/package/Dockerfile"
+          push: false
+          tags: app:latest
+          load: true
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: "eu-west-2"
+          role-to-assume: "${{ secrets.AWS_INSPECTOR_ROLE }}"
+
+      - name: Invoke Amazon Inspector Scan
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        with:
+          artifact_type: 'container'
+          artifact_path: 'app:latest'
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "latest"
+
   build:
     name: Build
     runs-on: ubuntu-latest