Update build_and_scan_image.yml #61
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Scan Container Image | |
| on: [ push ] | |
| jobs: | |
| build: | |
| name: Build docker image | |
| runs-on: ubuntu-latest | |
| # Configura los permisos para habilitar la autenticación con OIDC | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| # checkout the repository containing our Dockerfile | |
| - name: Checkout this repository | |
| uses: actions/checkout@v4 | |
| # Setup prerequisites for docker/build-push-action | |
| - name: Set up docker build prereqs (QEMU) | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up docker build prereqs (Buildx) | |
| uses: docker/setup-buildx-action@v3 | |
| # build the image you wish to scan | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| tags: py:latest | |
| load: true | |
| # setup your AWS credentials | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: "us-east-1" | |
| role-to-assume: "arn:aws:iam::066849108148:role/InspectorRoleForGithub" | |
| - name: Scan built image with Inspector | |
| uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1 | |
| id: inspector | |
| with: | |
| artifact_type: 'container' | |
| artifact_path: 'py:latest' # make sure this matches the image you built | |
| critical_threshold: 1 | |
| high_threshold: 1 | |
| medium_threshold: 1 | |
| low_threshold: 1 | |
| other_threshold: 1 | |
| # The following steps illustrate how to | |
| # display scan results in the GitHub Actions job terminal. | |
| - name: Display CycloneDX SBOM (JSON) | |
| run: cat ${{ steps.inspector.outputs.artifact_sbom }} | |
| - name: Display Inspector vulnerability scan results (JSON) | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results }} | |
| - name: Display Inspector vulnerability scan results (CSV) | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} | |
| - name: Display Inspector vulnerability scan results (Markdown) | |
| run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }} | |
| # The following steps illustrate how to | |
| # upload scan results as a GitHub actions job artifact | |
| - name: Upload Scan Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Inspector Vulnerability Scan Artifacts | |
| path: | | |
| ${{ steps.inspector.outputs.inspector_scan_results }} | |
| ${{ steps.inspector.outputs.inspector_scan_results_csv }} | |
| ${{ steps.inspector.outputs.artifact_sbom }} | |
| ${{ steps.inspector.outputs.inspector_scan_results_markdown }} | |
| # This step illustrates how to add custom logic if | |
| # the vulnerability threshold is exceeded. This example | |
| # simply prints the 'vulnerability_threshold_exceeded' value | |
| # to the GitHub actions job terminal. | |
| # Replace 'echo' with 'exit' if you want to fail the job. | |
| - name: On vulnerability threshold exceeded | |
| run: echo ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} | |
| #test | |