@@ -56,36 +56,24 @@ phases:
5656 - echo "All Pattern-2 Docker images successfully built and pushed to ECR"
5757 - echo "ECR Repository - $ECR_URI"
5858 - echo "Image Version - $IMAGE_VERSION"
59- - echo "Waiting for vulnerability scans to complete..."
59+ - echo "Note : ECR vulnerability scans initiated (ScanOnPush enabled)"
60+ - echo "Scans will complete asynchronously. Check ECR console for results."
61+ - echo "For accounts with Amazon Inspector Enhanced Scanning, scans may take 10-30 minutes per image."
6062 - |
61- # Wait for and check vulnerability scan results for all images
63+ # Optional: Quick check if any scans have already completed
64+ # This is informational only and does not block the build
6265 IMAGES=("ocr-function" "classification-function" "extraction-function" "assessment-function" "processresults-function" "hitl-wait-function" "hitl-status-update-function" "hitl-process-function" "summarization-function")
66+ echo "Checking scan status (non-blocking)..."
6367 for IMAGE in "${IMAGES[@]}"; do
64- echo "Checking scan results for $IMAGE-$IMAGE_VERSION..."
65- # Wait for scan to complete (max 10 minutes)
66- for i in {1..60}; do
67- SCAN_STATUS=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanStatus.status' --output text 2>/dev/null || echo "IN_PROGRESS")
68- if [ "$SCAN_STATUS" = "COMPLETE" ]; then
69- echo "Scan completed for $IMAGE-$IMAGE_VERSION"
70- # Get vulnerability counts
71- CRITICAL=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.CRITICAL' --output text 2>/dev/null || echo "0")
72- HIGH=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.HIGH' --output text 2>/dev/null || echo "0")
73- echo "Vulnerabilities found in $IMAGE-$IMAGE_VERSION: CRITICAL=$CRITICAL, HIGH=$HIGH"
74- # Fail build if critical vulnerabilities found
75- if [ "$CRITICAL" != "0" ] && [ "$CRITICAL" != "None" ]; then
76- echo "ERROR: Critical vulnerabilities found in $IMAGE-$IMAGE_VERSION. Build failed."
77- exit 1
78- fi
79- break
80- elif [ "$SCAN_STATUS" = "FAILED" ]; then
81- echo "WARNING: Vulnerability scan failed for $IMAGE-$IMAGE_VERSION"
82- break
83- fi
84- echo "Scan in progress for $IMAGE-$IMAGE_VERSION... (attempt $i/60)"
85- sleep 10
86- done
87- if [ "$SCAN_STATUS" != "COMPLETE" ]; then
88- echo "WARNING: Scan did not complete within timeout for $IMAGE-$IMAGE_VERSION"
68+ SCAN_STATUS=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanStatus.status' --output text 2>/dev/null || echo "IN_PROGRESS")
69+ if [ "$SCAN_STATUS" = "COMPLETE" ]; then
70+ CRITICAL=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.CRITICAL' --output text 2>/dev/null || echo "0")
71+ HIGH=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.HIGH' --output text 2>/dev/null || echo "0")
72+ echo " $IMAGE-$IMAGE_VERSION: COMPLETE - CRITICAL=$CRITICAL, HIGH=$HIGH"
73+ elif [ "$SCAN_STATUS" = "FAILED" ]; then
74+ echo " $IMAGE-$IMAGE_VERSION: FAILED"
75+ else
76+ echo " $IMAGE-$IMAGE_VERSION: IN_PROGRESS"
8977 fi
9078 done
91- - echo "Vulnerability scanning completed for all images "
79+ echo "Build complete. Review scan results in ECR console after scans finish. "
0 commit comments