Add image scanning

chewy-zlai · chewy-zlai · commit 1372b378bab6 · 2024-12-23T10:22:51.000-08:00
diff --git a/.github/workflows/push_to_canary.yaml b/.github/workflows/push_to_canary.yaml
@@ -2,8 +2,8 @@ name: Push To Canary
 
 on:
   push:
-    branches:
-      - 'main'
+#    branches:
+#      - 'main'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -121,6 +121,19 @@ jobs:
           docker build "." -f "docker-init/frontend/Dockerfile" -t "frontend-image:latest" --build-arg "API_BASE_URL=http://app:9000"
 
 
+      - name: Scan container images
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: |
+            aws-app-image:latest
+            gcp-app-image:latest
+            frontend-image:latest
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -137,7 +150,7 @@ jobs:
       - name: Tag, and push quickstart image to Amazon ECR
         env:
           ECR_REPOSITORY: ${{steps.login-ecr.outputs.registry}}/${{env.AWS_QUICKSTART_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         shell: bash
         run: |
           set -eo pipefail
@@ -149,7 +162,7 @@ jobs:
       - name: Tag, and push app image to Amazon ECR
         env:
           ECR_REGISTRY: ${{steps.login-ecr.outputs.registry}}/${{env.AWS_APP_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         shell: bash
         run: |
           set -eo pipefail
@@ -169,7 +182,7 @@ jobs:
         shell: bash
         env:
           ECR_REGISTRY: ${{steps.login-ecr.outputs.registry}}/${{env.AWS_FRONTEND_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         run: |
           set -eo pipefail
           docker tag "frontend-image:latest" "${{env.ECR_REGISTRY}}:${{env.IMAGE_TAG}}"
@@ -202,7 +215,7 @@ jobs:
         shell: bash
         env:
           GAR_QUICKSTART_REGISTRY: ${{secrets.GCP_REGION}}-docker.pkg.dev/${{secrets.GCP_PROJECT_ID}}/${{env.GAR_QUICKSTART_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         run: |
           set -eo pipefail
           docker tag "gcp-quickstart-image:latest" "${{env.GAR_QUICKSTART_REGISTRY}}:${{env.IMAGE_TAG}}"
@@ -220,7 +233,7 @@ jobs:
         shell: bash
         env:
           GAR_APP_REGISTRY: ${{secrets.GCP_REGION}}-docker.pkg.dev/${{secrets.GCP_PROJECT_ID}}/${{env.GAR_APP_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         run: |
           set -eo pipefail
           docker tag "gcp-app-image:latest" "${{env.GAR_APP_REGISTRY}}:${{env.IMAGE_TAG}}"
@@ -238,7 +251,7 @@ jobs:
         shell: bash
         env:
           GAR_FRONTEND_REGISTRY: ${{secrets.GCP_REGION}}-docker.pkg.dev/${{secrets.GCP_PROJECT_ID}}/${{env.GAR_FRONTEND_REPOSITORY}}
-          IMAGE_TAG: main
+          IMAGE_TAG: canary
         run: |
           set -eo pipefail
           docker tag "frontend-image:latest" "${{env.GAR_FRONTEND_REGISTRY}}:${{env.IMAGE_TAG}}"
