From f6a3893c26ecc2501a0c5540a24ea9d45fabc405 Mon Sep 17 00:00:00 2001 From: TP Honey Date: Mon, 16 Sep 2024 15:35:14 +0100 Subject: [PATCH] (feat) add container scanning to PR's --- .github/workflows/test-build.yml | 43 ++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index 4f4f2b9..1eab67c 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -1,5 +1,6 @@ name: Test & Build on: push + jobs: test: name: Test @@ -34,12 +35,54 @@ jobs: - name: Test run: go test ./... + scan-container: + name: Scan Container + runs-on: depot-ubuntu-24.04 + # this is for container scanning with aws inspector + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout@v2 + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 # also fetch tags and branches for `git describe` + + - uses: depot/setup-action@v1 + + - name: Build Docker image + uses: depot/build-push-action@v1 + with: + project: xnsnw3m20t + context: . + file: "build/package/Dockerfile" + push: false + tags: app:latest + load: true + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: "eu-west-2" + role-to-assume: "${{ secrets.AWS_INSPECTOR_ROLE }}" + + - name: Invoke Amazon Inspector Scan + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main + with: + artifact_type: 'container' + artifact_path: 'app:latest' + display_vulnerability_findings: "enabled" + sbomgen_version: "latest" + build: name: Build runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} needs: - test + - scan-container permissions: contents: read # required for checkout id-token: write # mint AWS credentials through OIDC