search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
772 stars 221 forks source link

aws ecr scan fails with no error #379

Open Poornachand200 opened 1 month ago

Poornachand200 commented 1 month ago

Below is actions yaml. Attached is the log file. logs_26538100467.zip

name: Build and run tests for dev

on:
  workflow_dispatch:
  push:
    branches:
      - 'feature/**'
      - 'develop'
    paths-ignore:
      - 'k8s/**'
      - '.github/**'

permissions:
  id-token: write
  contents: write
  checks: write
  issues: write
  packages: write
  pull-requests: write

jobs:   
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
        uses: actions/checkout@v4

      - name: Configure qemu for multiarch builds
        uses: docker/setup-qemu-action@v2

      - name: Configure buildx
        uses: docker/setup-buildx-action@v2

      - uses: actions/setup-java@v4
        with:
          distribution: 'corretto' 
          java-version: '21'
          cache: "gradle"

      - name: Setup Gradle
        uses: gradle/gradle-build-action@v3

      - name: Build with Gradle
        run: ./gradlew build

      - name: Configure AWS credentials
        id: creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_ECR_PUSH }}
          aws-region: ${{ vars.AWS_SECRETS_REGION }}
          output-credentials: true

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build
        env:
          DOCKERFILE: "./Dockerfile.jvm"
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: docker buildx build --build-arg ENVIRONMENT=dev --platform linux/amd64,linux/arm64 -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:dev-$VERSION .

      - name: Push
        env:
          DOCKERFILE: "./Dockerfile.jvm"
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: docker buildx build --build-arg ENVIRONMENT=dev --push --platform linux/amd64,linux/arm64 -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:dev-$VERSION .

      - name: Scan image in a private registry
        uses: aquasecurity/trivy-action@0.20.0
        with:
          image-ref: '${{ steps.login-ecr.outputs.registry }}/ciam-sync-service:dev-ciam-sync-service-${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
          AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
          AWS_DEFAULT_REGION:  ${{ vars.AWS_SECRETS_REGION }}

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Get Image URI
        id: image
        env:
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: |
          IMAGE_ID=$REGISTRY/$REPOSITORY:dev-$VERSION
          echo "image_id=${IMAGE_ID}" >> "$GITHUB_OUTPUT"

      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
        id: extract_branch

      - name: Update Image Version in the kubernetes yaml file
        uses: fjogeleit/yaml-update-action@main
        with:
          valueFile: 'k8s/dev/ciam-sync-service.yml'
          propertyPath: 'spec.template.spec.containers[0].image'
          value: ${{ steps.image.outputs.image_id }}
          repository: nuuday/ciam-sync-service
          branch: deployment/image-${{ github.sha }}          
          commitChange: true
          createPR: true
          targetBranch: ${{ steps.extract_branch.outputs.branch }}
          masterBranchName: main
          force: true
          message: 'Update Image Version to ${{ steps.image.outputs.image_id }}'
          token: ${{ secrets.GITHUB_TOKEN }}
Poornachand200 commented 1 month ago

@simar7 Could you please assist here?