Merge pull request #32 from pablitoc/master

Added ability to enable Image Scanning
kciter · Jul 7, 2021 · ad76cf4 · Dovchik · Jul 7, 2021 · ad76cf4
2 parents 79255b7 + 0865f71
commit ad76cf4
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -13,6 +13,7 @@ This Action allows you to create Docker images and push into a ECR repository.
 | `create_repo` | `boolean` | `false` | Set this to true to create the repository if it does not already exist |
 | `set_repo_policy` | `boolean` | `false` | Set this to true to set a IAM policy on the repository |
 | `repo_policy_file` | `string` | `repo-policy.json` | Set this to repository policy statement json file. only used if the set_repo_policy is set to true |
+| `image_scanning_configuration:` | `boolean` | `false` | Set this to True if you want AWS to scan your images for vulnerabilities |
 | `tags` | `string` | `latest` | Comma-separated string of ECR image tags (ex latest,1.0.0,) |
 | `dockerfile` | `string` | `Dockerfile` | Name of Dockerfile to use |
 | `extra_build_args` | `string` | `""` | Extra flags to pass to docker build (see docs.docker.com/engine/reference/commandline/build) |

diff --git a/action.yml b/action.yml
@@ -1,5 +1,5 @@
 name: AWS ECR
-author: Lee Sun-Hyoup <kciter@naver.com>
+author: Lee Sun-Hyoup <kciter@naver.com>, Pablo Castillo <pablo@castillo.is>
 branding:
   icon: upload-cloud
   color: orange
@@ -36,6 +36,9 @@ inputs:
   tags:
     description: Comma-separated string of ECR image tags
     default: latest
+  image_scanning_configuration:
+    description: Set this to True if you want AWS to scan your images for vulnerabilities
+    default: false
   dockerfile:
     description: Name of Dockerfile to use
     default: Dockerfile

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -7,13 +7,15 @@ INPUT_TAGS="${INPUT_TAGS:-latest}"
 INPUT_CREATE_REPO="${INPUT_CREATE_REPO:-false}"
 INPUT_SET_REPO_POLICY="${INPUT_SET_REPO_POLICY:-false}"
 INPUT_REPO_POLICY_FILE="${INPUT_REPO_POLICY_FILE:-repo-policy.json}"
+INPUT_IMAGE_SCANNING_CONFIGURATION="${INPUT_IMAGE_SCANNING_CONFIGURATION:-false}"
 
 function main() {
   sanitize "${INPUT_ACCESS_KEY_ID}" "access_key_id"
   sanitize "${INPUT_SECRET_ACCESS_KEY}" "secret_access_key"
   sanitize "${INPUT_REGION}" "region"
   sanitize "${INPUT_ACCOUNT_ID}" "account_id"
   sanitize "${INPUT_REPO}" "repo"
+  sanitize "${INPUT_IMAGE_SCANNING_CONFIGURATION}" "image_scanning_configuration"
 
   ACCOUNT_URL="$INPUT_ACCOUNT_ID.dkr.ecr.$INPUT_REGION.amazonaws.com"
 
@@ -25,6 +27,7 @@ function main() {
   create_ecr_repo $INPUT_CREATE_REPO
   set_ecr_repo_policy $INPUT_SET_REPO_POLICY
   docker_push_to_ecr $INPUT_TAGS $ACCOUNT_URL
+  image_scanning_configuration $INPUT_IMAGE_SCANNING_CONFIGURATION
 }
 
 function sanitize() {
@@ -96,6 +99,16 @@ function set_ecr_repo_policy() {
   fi
 }
 
+function put_image_scanning_configuration() {
+  if [ "${1}" = true ]; then
+      echo "== START SET IMAGE SCANNING CONFIGURATION"
+    if [ -f "${INPUT_IMAGE_SCANNING_CONFIGURATION}" ]; then
+      aws ecr put-image-scanning-configuration --repository-name $INPUT_REPO --image-scanning-configuration scanOnPush=${INPUT_IMAGE_SCANNING_CONFIGURATION}
+      echo "== FINISHED SET IMAGE SCANNING CONFIGURATION"
+    fi
+  fi
+}
+
 function run_pre_build_script() {
   if [ ! -z "${1}" ]; then
     echo "== START PREBUILD SCRIPT"