To add ECR Image Scanning to Sample App and documentation

[bruce-wh-li]

Describe the Issue A continuation to ticket 1601 to add ECR Image Scanning to the Sample Container App. Due to ECR Image is not available for scanning because the problematic Container Sample App, As a security analyst, I would like to provide a workaround without waiting until the sample app issue fixed. A new standalone workflow for ECR Image Scanning will be created and a overall QA workflow comprises of all security scanning tool will be added for the user to incorporate to their CI/CD pipeline.

Additional Context

• Sample Container App has issue creating Docker Image to AWS ECR Repo

Acceptance Criteria

• [x] Create a new workflow to scan the docker image in AWS ECR for exploitable CVE (Common Vulnerability Exposure)
• [x] Create a new containing workflow to include all tools
• [x] Update github markup file in DOC folder to include description and how to incorporate the scanning tools to the CI/CD pipeline

. . . . . . . . . . .

Extra Template Info

Definition of Ready These set of conditions will need to be met in order to bring a ticket into the sprint and start work. Protects the team from unclear requirements. Issues (Task/Story/Spike) aligned to an EPIC and linked appropriately. Assigned to the appropriate CPF MEMBER (and is not left blank in ZenHub) at the start of sprint (1st day of the sprint) Acceptance has been defined for the issue and has been reviewed with CPF team and approved by the necessary approver. Has been sized and estimated by the delivery team. Detailed breakdown of the steps required to complete the story in the additional context Any additional specifications have been documented, reviewed with CPF and approved by the necessary approver.

Acceptance Criteria A set of pre-defined requirement that need to be met in order to mark the user story as “done”. It should be testable with no room for interpretation It should be either “pass” or “fail” It should be clear enough for business stake holders to understand As part of the user story, it should be written from the user perspective A well written acceptance criteria is great for

• managing expectations
• defining scope
• reducing ambiguity
• establishing testing criteria for QA Given (Pre-condition) When (Action) Then (Outcome)

Definition of Done These set of conditions are met for work to be considered as complete on an issue. All acceptance criteria(s) have been validated. All the necessary documentation for the issue has been uploaded to Teams. Functionality has been tested when applicable. Functionality has been demonstrated to the relevant stakeholders (where applicable). Story has been scheduled for a Sprint Demo/community update and impacted teams invited to the Demo. Stories accepted by PO and documented for potential sharing with impacted users.

• Documented = Captured in Community Update (CU) deck
• Release notes = aspirational goal of providing a bulleted list of features and changes that our users can touch. Was going to store them in our Cloud Pathfinder repo. Can also display to users in the CU

[bruce-wh-li]

Completed. However, no valid ECR image and no access to Forge as of now.