sartography
/
github-actions-library
mirror of https://github.com/sartography/github-actions-library.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
github-actions-library/wait-for-ecr-scan-and-get-s...
History
jasquat 96aedecc60
added test for ecr scan with cvss findings w/ burnettk 		2024-08-20 12:30:51 -04:00
..
bin updated tests for new short description w/ burnettk 2024-08-16 12:07:21 -04:00
pylib added test for ecr scan with cvss findings w/ burnettk 2024-08-20 12:30:51 -04:00
tests added test for ecr scan with cvss findings w/ burnettk 2024-08-20 12:30:51 -04:00
README.md added little generate expected output file snippet in README w/ burnettk 2024-08-19 11:16:09 -04:00
action.yml synced with discoveryedu action w/ burnettk 2024-08-19 11:05:42 -04:00
requirements.txt added wrapper script and a little cleanup w/ burnettk 2024-08-15 17:06:19 -04:00
sarif-schema-2.1.0.json updated json sarif schema w/ burnettk 2024-08-15 14:59:47 -04:00
test_aws_scan_findings_to_sarif.py added test for ecr scan with cvss findings w/ burnettk 2024-08-20 12:30:51 -04:00
wait_for_ecr_scan_and_get_sarif.py more code to wait for image scan to complete w/ burnettk 2024-08-15 17:31:06 -04:00

README.md

Wait for ECR Scan and get Sarif GitHub Action

This action is used for integrating AWS ECR Image Scanning with GitHub security. GitHub security integrates with the Sarif standard, allowing Sarif json files to be uploaded and displayed in the Security tab's code scanning results. The AWS API's describe-image-scan-findings response is not compatible with the Sarif standard. This GitHub action waits for AWS image scanning process to complete on a provided tag, takes the AWS API response from describe-image-scan-findings, and converts it to the standard Sarif format.

Usage

To integrate with your Actions pipeline, specify the name of this repository with a branch or tag number (main is recommended) as a step within your workflow.yml file.

Inside your .github/workflows/workflow.yml file:

steps:
  - uses: discoveryedu/github-actions-library/wait-for-ecr-scan-and-get-sarif@main
    with:
      repository_name: "docker/repo"
      image_tag: "main"
      aws_region: "us-east-2"
      output_file: "report.sarif"

Arguments

This Action supports inputs from the user. These inputs are listed in the table below:

Input Description Required
repository_name ECR repository name *Required
image_tag Docker image tag *Required
aws_region Region, like us-east-1 *Required
output_file File location to place the Sarif output file. It is json, but it sometimes uses the .sarif extension *Required

Example full workflow.yml using this Action

name: "Build container image"
on:
  push:
    branches:
      - main

jobs:
  ecr-scan:
    runs-on: ubuntu-latest

    steps:
      # [Probably build and push image to ECR here]

      - name: Wait for ECR Scan and Get SARIF Report
        uses: sartography/github-actions-library/wait-for-ecr-scan-and-get-sarif@main
        with:
          repository_name: "infr/testcloud2202"
          image_tag: "main"
          aws_region: "us-east-2"
          output_file: "report.sarif"

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: report.sarif
          category: security

Tests

If changing the format of the output, remember to run the generate script to recreate the expected SARIF files.

./wait-for-ecr-scan-and-get-sarif/bin/generate_expected_sarif_files