From fb299b799d5aa1be230294c5d5e87a453f209d92 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 11:27:39 +0000 Subject: [PATCH 1/9] feat/(TECH): initial commit ecr scan results action --- Dockerfile | 1 + action.yml | 44 +++++++++++++++++++++++++++------ scripts/gh-utils.sh | 26 ++++++++++++++++++++ scripts/script.sh | 60 +++++++++++++++++++++++++++++++-------------- 4 files changed, 105 insertions(+), 26 deletions(-) create mode 100644 scripts/gh-utils.sh diff --git a/Dockerfile b/Dockerfile index b7eb09c..caaaf1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ ENV LOG_TIMESTAMPED "true" ENV DEBUG_MODE "false" COPY scripts/utils.sh . +COPY scripts/gh-utils.sh . COPY scripts/script.sh . ENTRYPOINT ["/scripts/script.sh"] diff --git a/action.yml b/action.yml index f55c3c9..477882d 100644 --- a/action.yml +++ b/action.yml @@ -1,9 +1,9 @@ -name: Some action # TODO(user): Replace this with your action name +name: ECR Scan branding: icon: arrow-right-circle color: gray-dark -description: | # TODO(user): replace this with your action description - This action does something +description: | + This action scans ecr scan result and reports results back to pr inputs: debug-mode: @@ -18,15 +18,38 @@ inputs: description: Set to true in order to enable timestamps on log messages required: false default: 'true' - # TODO(user): Specify your inputs here - input-name: - description: Some input description + repo-org: + description: Github Org to use for PR comment required: true + repo-name: + description: Github Repo Name to use for PR comment + required: true + pr-number: + description: PR number to be used for PR comment + required: true + aws-account-id: + description: AWS account ID to use for ECR repo + required: true + ecr-repo-name: + description: AWS ECR Repo Name to use to view scan + required: true + ecr-repo-tag: + description: AWS ECR Repo image tag to use to view scan + required: true + use-alpha: + description: AWS ECR Repo Alpha image + required: true + default: 'false' + # TODO(user): Define your outputs here outputs: some-output: description: 'Some output description' + some-output: + description: 'Some output description' + some-output: + description: 'Some output description' runs: using: 'docker' @@ -35,5 +58,10 @@ runs: DEBUG_MODE: ${{ inputs.debug-mode }} LOG_LEVEL: ${{ inputs.log-level }} LOG_TIMESTAMPED: ${{ inputs.log-timestamped }} - # TODO(user): Define your environment variables here - SOME_INPUT: ${{ inputs.input-name }} + REPO_ORG: ${{ inputs.repo-org }} + REPO_NAME: ${{ inputs.repo-name }} + PR_NUMBER: ${{ inputs.pr-number }} + AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }} + ECR_REPO_NAME: ${{ inputs.ecr-repo-name }} + ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }} + USE_ALPHA_REGISTRY: ${{ inputs.use-alpha }} diff --git a/scripts/gh-utils.sh b/scripts/gh-utils.sh new file mode 100644 index 0000000..aff8c4a --- /dev/null +++ b/scripts/gh-utils.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# The `comment_on_pull_request` function pushes a comment to a pull request. +function comment_on_pull_request() { + _repo_org="${1}" + _repo_name="${2}" + _pr_number="${3}" + _comment_body="${4}" + _delete_previous_comments="${5}" + _comment_id="${6}" + + if [[ "$(check_bool "${_delete_previous_comments}")" ]]; then + if [[ -z "${_comment_id}" ]]; then + log_out "No comment id was provided for deleting previous comments. Aborting." "FATAL" 1 + else + delete_previous_comments "${_repo_org}" "${_repo_name}" "${_pr_number}" + fi + fi + + log_out "Commenting on ${_repo_org}/${_repo_name}#${_pr_number}" + if [[ -z "${_comment_id}" ]]; then + printf "%s" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - + else + printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - + fi +} \ No newline at end of file diff --git a/scripts/script.sh b/scripts/script.sh index 068071c..81aba3a 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -1,25 +1,49 @@ #!/usr/bin/env bash +#!/usr/bin/env bash + +. "$(dirname "$0")/utils/script-utils.sh" +. "$(dirname "$0")/utils/gh-utils.sh" -. "$(dirname "$0")/utils.sh" +check_env_var "REPO_ORG" +check_env_var "REPO_NAME" +check_env_var "PR_NUMBER" +check_env_var "AWS_ACCOUNT_ID" +check_env_var "ECR_REPO_NAME" +check_env_var "ECR_REPO_TAG" +check_env_var "USE_ALPHA_REGISTRY" -# Your action logic goes here +if [[ "$(check_bool "${USE_ALPHA_REGISTRY}")" ]]; then + _scan_repo_name="alpha-image/${ECR_REPO_NAME}" +else + _scan_repo_name="image/${ECR_REPO_NAME}" +fi +_scan_repo_link="https://eu-central-1.console.aws.amazon.com/ecr/repositories/private/${AWS_ACCOUNT_ID}/${_scan_repo_name}" -# TODO(user): Use this helper function to check if a required env variable is set or not -check_env_var "SOME_INPUT" +log_info "Fetching scan results from ECR" +log_debug "repo=\"${_scan_repo_name}\" | imageTag=\"${ECR_REPO_TAG}\"" +_scan_results="$(aws ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}" | jq '.imageScanFindings.findingSeverityCounts // {}')" -# TODO(user): Use the `check_bool` helper function to check for bool values -if [[ "$(check_bool "true")" ]]; then - # TODO(user): Use the `log_out` helper function to log messages - log_out "hello world" "INFO" - # The following are some handy logging functions - log_debug "This is a DEBUG log" - log_info "This is a INFO log" - log_warning "This is a WARNING log" - log_error "This is a ERROR log" - log_fatal "This is a FATAL log" # <- This one exists with an error - log_fatal "This is a FATAL log with custom exit code" 5 # <- This one exists with an error - log_out "This is a custom log message that exits with code 10" "FATAL" 10 +_scan_results_comment="" +if [[ "${_scan_results}" == "{}" ]]; then + log_info "Did not find any vulnerabilities on the ECR repo." + echo ":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:" >>"${_scan_results_comment}" +else + log_info "Found vulnerabilities on ECR." + { + echo ":warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):" + echo "- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**" + echo "- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**" + echo "- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**" + echo "- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**" + echo "- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**" + echo "- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**" + } >>"${_scan_results_comment}" fi -# TODO(user): This is how to output something to GH actions -echo "some-output=HelloThereGeneralKenobi" >>"${GITHUB_OUTPUT}" +comment_on_pull_request "${REPO_ORG}" \ + "${REPO_NAME}" \ + "${PR_NUMBER}" \ + "${_scan_results_comment}" \ + "true" \ + "scan-results:${_scan_repo_name}" + \ No newline at end of file From 4ab4dd23dfb0b46459d3a1329958698770c6850d Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 11:30:07 +0000 Subject: [PATCH 2/9] pre-commit fix --- scripts/gh-utils.sh | 2 +- scripts/script.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/gh-utils.sh b/scripts/gh-utils.sh index aff8c4a..036ff1e 100644 --- a/scripts/gh-utils.sh +++ b/scripts/gh-utils.sh @@ -23,4 +23,4 @@ function comment_on_pull_request() { else printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F - fi -} \ No newline at end of file +} diff --git a/scripts/script.sh b/scripts/script.sh index 81aba3a..5ea64cb 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -46,4 +46,4 @@ comment_on_pull_request "${REPO_ORG}" \ "${_scan_results_comment}" \ "true" \ "scan-results:${_scan_repo_name}" - \ No newline at end of file + From bde38bff85d39ec246692444353fd7d1fb53681c Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 12:02:57 +0000 Subject: [PATCH 3/9] updating due to requested changes --- action.yml | 24 +----------------------- scripts/script.sh | 8 ++++---- 2 files changed, 5 insertions(+), 27 deletions(-) diff --git a/action.yml b/action.yml index 477882d..bf8ba35 100644 --- a/action.yml +++ b/action.yml @@ -18,15 +18,6 @@ inputs: description: Set to true in order to enable timestamps on log messages required: false default: 'true' - repo-org: - description: Github Org to use for PR comment - required: true - repo-name: - description: Github Repo Name to use for PR comment - required: true - pr-number: - description: PR number to be used for PR comment - required: true aws-account-id: description: AWS account ID to use for ECR repo required: true @@ -39,17 +30,7 @@ inputs: use-alpha: description: AWS ECR Repo Alpha image required: true - default: 'false' - - -# TODO(user): Define your outputs here -outputs: - some-output: - description: 'Some output description' - some-output: - description: 'Some output description' - some-output: - description: 'Some output description' + default: 'true' runs: using: 'docker' @@ -58,9 +39,6 @@ runs: DEBUG_MODE: ${{ inputs.debug-mode }} LOG_LEVEL: ${{ inputs.log-level }} LOG_TIMESTAMPED: ${{ inputs.log-timestamped }} - REPO_ORG: ${{ inputs.repo-org }} - REPO_NAME: ${{ inputs.repo-name }} - PR_NUMBER: ${{ inputs.pr-number }} AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }} ECR_REPO_NAME: ${{ inputs.ecr-repo-name }} ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }} diff --git a/scripts/script.sh b/scripts/script.sh index 5ea64cb..94eca73 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -4,9 +4,9 @@ . "$(dirname "$0")/utils/script-utils.sh" . "$(dirname "$0")/utils/gh-utils.sh" -check_env_var "REPO_ORG" -check_env_var "REPO_NAME" -check_env_var "PR_NUMBER" +REPO_ORG=${GITHUB_REPOSITORY_OWNER} +REPO_NAME=$(echo "${GITHUB_REPOSITORY}" |cut -d "/" -f2) +PR_NUMBER=${GITHUB_SHA} check_env_var "AWS_ACCOUNT_ID" check_env_var "ECR_REPO_NAME" check_env_var "ECR_REPO_TAG" @@ -46,4 +46,4 @@ comment_on_pull_request "${REPO_ORG}" \ "${_scan_results_comment}" \ "true" \ "scan-results:${_scan_repo_name}" - + \ No newline at end of file From 6b8ec3179c1b0fe4e161cb5c9a4605baf6b4ea56 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 12:04:20 +0000 Subject: [PATCH 4/9] removing extra declare --- scripts/script.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/script.sh b/scripts/script.sh index 94eca73..a8d3e3d 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -1,5 +1,4 @@ #!/usr/bin/env bash -#!/usr/bin/env bash . "$(dirname "$0")/utils/script-utils.sh" . "$(dirname "$0")/utils/gh-utils.sh" From 8ab0ab2d665b28a2f872146ea9e21050014f0831 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 12:05:46 +0000 Subject: [PATCH 5/9] correcting path for source scripts --- scripts/script.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/script.sh b/scripts/script.sh index a8d3e3d..ce5da3e 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash -. "$(dirname "$0")/utils/script-utils.sh" -. "$(dirname "$0")/utils/gh-utils.sh" +. "$(dirname "$0")/utils.sh" +. "$(dirname "$0")gh-utils.sh" REPO_ORG=${GITHUB_REPOSITORY_OWNER} REPO_NAME=$(echo "${GITHUB_REPOSITORY}" |cut -d "/" -f2) From f3e94edff63111dd32bdaafd1f6d7f8b7740ccb8 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 12:13:29 +0000 Subject: [PATCH 6/9] pre-commit fix --- scripts/script.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/script.sh b/scripts/script.sh index ce5da3e..24a659b 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -45,4 +45,4 @@ comment_on_pull_request "${REPO_ORG}" \ "${_scan_results_comment}" \ "true" \ "scan-results:${_scan_repo_name}" - \ No newline at end of file + From 1cb5e5c9413bd49a3eb67ffdf96d51ff3b513003 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 12:29:02 +0000 Subject: [PATCH 7/9] fix suggestions --- action.yml | 2 +- scripts/script.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index bf8ba35..99aea76 100644 --- a/action.yml +++ b/action.yml @@ -29,7 +29,7 @@ inputs: required: true use-alpha: description: AWS ECR Repo Alpha image - required: true + required: false default: 'true' runs: diff --git a/scripts/script.sh b/scripts/script.sh index 24a659b..d63f727 100755 --- a/scripts/script.sh +++ b/scripts/script.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash . "$(dirname "$0")/utils.sh" -. "$(dirname "$0")gh-utils.sh" +. "$(dirname "$0")/gh-utils.sh" REPO_ORG=${GITHUB_REPOSITORY_OWNER} REPO_NAME=$(echo "${GITHUB_REPOSITORY}" |cut -d "/" -f2) From 0190a5afa3f252828ae052e0a1ffdb36779d0b81 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 13:57:16 +0000 Subject: [PATCH 8/9] fixing docker file --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index caaaf1c..00db800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,15 @@ ARG ALPINE_VERSION="3.19" -ARG BASH_VERSION="5.2.26-r0" - FROM alpine:${ALPINE_VERSION} +ARG BASH_VERSION="5" +ARG AWS_CLI_VERSION="2" + WORKDIR /scripts RUN apk update --no-cache; \ apk upgrade --no-cache; \ - apk add --no-cache bash=${BASH_VERSION}; \ + apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq curl; \ rm -rf /var/cache/apk/* ENV LOG_LEVEL "INFO" From 306ac724d1ded53b587c472642de3bb1b6819723 Mon Sep 17 00:00:00 2001 From: Steven Quan Date: Thu, 21 Mar 2024 14:18:40 +0000 Subject: [PATCH 9/9] pinning jq and curl --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 00db800..9705431 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,12 +4,14 @@ FROM alpine:${ALPINE_VERSION} ARG BASH_VERSION="5" ARG AWS_CLI_VERSION="2" +ARG JQ_VERSION="1" +ARG CURL_VERSION="8" WORKDIR /scripts RUN apk update --no-cache; \ apk upgrade --no-cache; \ - apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq curl; \ + apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq~=${JQ_VERSION} curl~=${CURL_VERSION} ; \ rm -rf /var/cache/apk/* ENV LOG_LEVEL "INFO"