Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(TECH): gh action ecr scan results #1

Merged
merged 9 commits into from
Mar 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,21 +1,25 @@
ARG ALPINE_VERSION="3.19"

ARG BASH_VERSION="5.2.26-r0"

FROM alpine:${ALPINE_VERSION}

ARG BASH_VERSION="5"
ARG AWS_CLI_VERSION="2"
ARG JQ_VERSION="1"
ARG CURL_VERSION="8"

WORKDIR /scripts

RUN apk update --no-cache; \
apk upgrade --no-cache; \
apk add --no-cache bash=${BASH_VERSION}; \
apk add --no-cache bash~=${BASH_VERSION} aws-cli~=${AWS_CLI_VERSION} jq~=${JQ_VERSION} curl~=${CURL_VERSION} ; \
rm -rf /var/cache/apk/*

ENV LOG_LEVEL "INFO"
ENV LOG_TIMESTAMPED "true"
ENV DEBUG_MODE "false"

COPY scripts/utils.sh .
COPY scripts/gh-utils.sh .
COPY scripts/script.sh .

ENTRYPOINT ["/scripts/script.sh"]
32 changes: 19 additions & 13 deletions action.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
name: Some action # TODO(user): Replace this with your action name
name: ECR Scan
branding:
icon: arrow-right-circle
color: gray-dark
description: | # TODO(user): replace this with your action description
This action does something
description: |
This action scans ecr scan result and reports results back to pr

inputs:
debug-mode:
Expand All @@ -18,15 +18,19 @@ inputs:
description: Set to true in order to enable timestamps on log messages
required: false
default: 'true'
# TODO(user): Specify your inputs here
input-name:
description: Some input description
aws-account-id:
description: AWS account ID to use for ECR repo
required: true

# TODO(user): Define your outputs here
outputs:
some-output:
description: 'Some output description'
ecr-repo-name:
description: AWS ECR Repo Name to use to view scan
required: true
ecr-repo-tag:
description: AWS ECR Repo image tag to use to view scan
required: true
use-alpha:
description: AWS ECR Repo Alpha image
required: false
default: 'true'

runs:
using: 'docker'
Expand All @@ -35,5 +39,7 @@ runs:
DEBUG_MODE: ${{ inputs.debug-mode }}
LOG_LEVEL: ${{ inputs.log-level }}
LOG_TIMESTAMPED: ${{ inputs.log-timestamped }}
# TODO(user): Define your environment variables here
SOME_INPUT: ${{ inputs.input-name }}
AWS_ACCOUNT_ID: ${{ inputs.aws-account-id }}
ECR_REPO_NAME: ${{ inputs.ecr-repo-name }}
ECR_REPO_TAG: ${{ inputs.ecr-repo-tag }}
USE_ALPHA_REGISTRY: ${{ inputs.use-alpha }}
26 changes: 26 additions & 0 deletions scripts/gh-utils.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/usr/bin/env bash

# The `comment_on_pull_request` function pushes a comment to a pull request.
function comment_on_pull_request() {
_repo_org="${1}"
_repo_name="${2}"
_pr_number="${3}"
_comment_body="${4}"
_delete_previous_comments="${5}"
_comment_id="${6}"

if [[ "$(check_bool "${_delete_previous_comments}")" ]]; then
if [[ -z "${_comment_id}" ]]; then
log_out "No comment id was provided for deleting previous comments. Aborting." "FATAL" 1
else
delete_previous_comments "${_repo_org}" "${_repo_name}" "${_pr_number}"
fi
fi

log_out "Commenting on ${_repo_org}/${_repo_name}#${_pr_number}"
if [[ -z "${_comment_id}" ]]; then
printf "%s" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
else
printf "%s \n %s" "$(get_formatted_comment_id "${_comment_id}")" "${_comment_body}" | gh pr comment "${_pr_number}" -R "${_repo_org}/${_repo_name}" -F -
fi
}
57 changes: 40 additions & 17 deletions scripts/script.sh
Original file line number Diff line number Diff line change
@@ -1,25 +1,48 @@
#!/usr/bin/env bash

. "$(dirname "$0")/utils.sh"
. "$(dirname "$0")/gh-utils.sh"

# Your action logic goes here
REPO_ORG=${GITHUB_REPOSITORY_OWNER}
REPO_NAME=$(echo "${GITHUB_REPOSITORY}" |cut -d "/" -f2)
PR_NUMBER=${GITHUB_SHA}
check_env_var "AWS_ACCOUNT_ID"
check_env_var "ECR_REPO_NAME"
check_env_var "ECR_REPO_TAG"
check_env_var "USE_ALPHA_REGISTRY"

# TODO(user): Use this helper function to check if a required env variable is set or not
check_env_var "SOME_INPUT"
if [[ "$(check_bool "${USE_ALPHA_REGISTRY}")" ]]; then
_scan_repo_name="alpha-image/${ECR_REPO_NAME}"
else
_scan_repo_name="image/${ECR_REPO_NAME}"
fi
_scan_repo_link="https://eu-central-1.console.aws.amazon.com/ecr/repositories/private/${AWS_ACCOUNT_ID}/${_scan_repo_name}"

log_info "Fetching scan results from ECR"
log_debug "repo=\"${_scan_repo_name}\" | imageTag=\"${ECR_REPO_TAG}\""
_scan_results="$(aws ecr describe-image-scan-findings --repository-name "${_scan_repo_name}" --image-id="imageTag=${ECR_REPO_TAG}" | jq '.imageScanFindings.findingSeverityCounts // {}')"

# TODO(user): Use the `check_bool` helper function to check for bool values
if [[ "$(check_bool "true")" ]]; then
# TODO(user): Use the `log_out` helper function to log messages
log_out "hello world" "INFO"
# The following are some handy logging functions
log_debug "This is a DEBUG log"
log_info "This is a INFO log"
log_warning "This is a WARNING log"
log_error "This is a ERROR log"
log_fatal "This is a FATAL log" # <- This one exists with an error
log_fatal "This is a FATAL log with custom exit code" 5 # <- This one exists with an error
log_out "This is a custom log message that exits with code 10" "FATAL" 10
_scan_results_comment=""
if [[ "${_scan_results}" == "{}" ]]; then
log_info "Did not find any vulnerabilities on the ECR repo."
echo ":tada: Did not find any vulnerabilities in [${_scan_repo_name}](${_scan_repo_link}). Good job :+1:" >>"${_scan_results_comment}"
else
log_info "Found vulnerabilities on ECR."
{
echo ":warning: Found the following number of vulnerabilities on [${_scan_repo_name}](${_scan_repo_link}):"
echo "- type \`CRITICAL\`: **$(echo "${_scan_results}" | jq '.CRITICAL // 0')**"
echo "- type \`HIGH\`: **$(echo "${_scan_results}" | jq '.HIGH // 0')**"
echo "- type \`MEDIUM\`: **$(echo "${_scan_results}" | jq '.MEDIUM // 0')**"
echo "- type \`LOW\`: **$(echo "${_scan_results}" | jq '.LOW // 0')**"
echo "- type \`UNDEFINED\`: **$(echo "${_scan_results}" | jq '.UNDEFINED // 0')**"
echo "- type \`INFORMATIONAL\`: **$(echo "${_scan_results}" | jq '.INFORMATIONAL // 0')**"
} >>"${_scan_results_comment}"
fi

# TODO(user): This is how to output something to GH actions
echo "some-output=HelloThereGeneralKenobi" >>"${GITHUB_OUTPUT}"
comment_on_pull_request "${REPO_ORG}" \
"${REPO_NAME}" \
"${PR_NUMBER}" \
"${_scan_results_comment}" \
"true" \
"scan-results:${_scan_repo_name}"