Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws ecr scan fails with no error #379

Open
Poornachand200 opened this issue Jul 29, 2024 · 1 comment
Open

aws ecr scan fails with no error #379

Poornachand200 opened this issue Jul 29, 2024 · 1 comment

Comments

@Poornachand200
Copy link

Poornachand200 commented Jul 29, 2024
edited
Loading

Below is actions yaml. Attached is the log file.
logs_26538100467.zip

name: Build and run tests for dev

on:
  workflow_dispatch:
  push:
    branches:
      - 'feature/**'
      - 'develop'
    paths-ignore:
      - 'k8s/**'
      - '.github/**'

permissions:
  id-token: write
  contents: write
  checks: write
  issues: write
  packages: write
  pull-requests: write

jobs:   
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
        uses: actions/checkout@v4

      - name: Configure qemu for multiarch builds
        uses: docker/setup-qemu-action@v2

      - name: Configure buildx
        uses: docker/setup-buildx-action@v2

      - uses: actions/setup-java@v4
        with:
          distribution: 'corretto' 
          java-version: '21'
          cache: "gradle"
          
      - name: Setup Gradle
        uses: gradle/gradle-build-action@v3
    
      - name: Build with Gradle
        run: ./gradlew build
          
      - name: Configure AWS credentials
        id: creds
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME_ECR_PUSH }}
          aws-region: ${{ vars.AWS_SECRETS_REGION }}
          output-credentials: true

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build
        env:
          DOCKERFILE: "./Dockerfile.jvm"
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: docker buildx build --build-arg ENVIRONMENT=dev --platform linux/amd64,linux/arm64 -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:dev-$VERSION .

      - name: Push
        env:
          DOCKERFILE: "./Dockerfile.jvm"
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: docker buildx build --build-arg ENVIRONMENT=dev --push --platform linux/amd64,linux/arm64 -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:dev-$VERSION .

      - name: Scan image in a private registry
        uses: aquasecurity/[email protected]
        with:
          image-ref: '${{ steps.login-ecr.outputs.registry }}/ciam-sync-service:dev-ciam-sync-service-${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          AWS_ACCESS_KEY_ID: ${{ steps.creds.outputs.aws-access-key-id }}
          AWS_SECRET_ACCESS_KEY: ${{ steps.creds.outputs.aws-secret-access-key }}
          AWS_DEFAULT_REGION:  ${{ vars.AWS_SECRETS_REGION }}

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
          
      - name: Get Image URI
        id: image
        env:
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: "ciam-sync-service"
          VERSION: "ciam-sync-service-${{ github.sha }}"
        run: |
          IMAGE_ID=$REGISTRY/$REPOSITORY:dev-$VERSION
          echo "image_id=${IMAGE_ID}" >> "$GITHUB_OUTPUT"

      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
        id: extract_branch

      - name: Update Image Version in the kubernetes yaml file
        uses: fjogeleit/yaml-update-action@main
        with:
          valueFile: 'k8s/dev/ciam-sync-service.yml'
          propertyPath: 'spec.template.spec.containers[0].image'
          value: ${{ steps.image.outputs.image_id }}
          repository: nuuday/ciam-sync-service
          branch: deployment/image-${{ github.sha }}          
          commitChange: true
          createPR: true
          targetBranch: ${{ steps.extract_branch.outputs.branch }}
          masterBranchName: main
          force: true
          message: 'Update Image Version to ${{ steps.image.outputs.image_id }}'
          token: ${{ secrets.GITHUB_TOKEN }}
@Poornachand200
Copy link
Author

@simar7 Could you please assist here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Poornachand200