Open hgbarreto opened 1 month ago
Working on implementing Trivy and then SBOM on the AMI workflows. Should begin testing this afternoon
Trivy worked good. Working on implementing SBOM using the existing SBOM work flow. I have to make some updates on the SBOM workflow, considering that the workflow was built with he assumption that the image is being pushed to ECR, which is not the case for the AMIs. Making adjustment so SBOM is created and pushed to S3 regardless of ECR usage.
Updating ticket point to a 5 as it involves updating the shared SBOM workflow to accommodate AMI builds before before referencing the SBOM workflow within the AMI workflow
I am having some issues with with Trivy functionality for the ami scanning that I am trying to work around. Trivy scan was showing complete, but I noticed it was not actually scanning the correct ami because the AMI_ID was not being properly extracted after being built. I found that out, modified the code and confirmed that we were extracting the correct AMI_ID but the Trivy scan is refusing to scan the AMI. I am currently troubleshooting to figure out the reason for that. I have created a separate shared SBOM workflow for the ami with slightly different set up from the docker image SBOM workflow
Once I am done with the workflows, I will have to update the terraform to include crawlers for the AMI SBOM. Unfortunately, this ticket will have to be carried over to the next sprint
I have gotten a breakthrough with Trivy and Cyclonedx for security and SBOM. functioning. I will update the the other workflows and terraform code, then push out the PR
Description
To meet and mature in the ID.AM-1 and ID.AM-2 security controls, Infrastructure Services would like to create the same SBOM GHA workflow logic utilized for the container images. Leverage the already created logic of
GHA Task -> S3 Bucket -> AWS Glue -> Athena
for our Amazon Machine Images Builds (AMIs). Note - Same JSON formatting will be requiredResources
Acceptance Criteria
Refinement Guidance - Check the following before working on this issue: