.github/workflows/docker-vulnerability-scan.yml

name: Docker vulnerability scan

on:
  workflow_dispatch:
  schedule:
    - cron: "0 4 * * *"

permissions:
  id-token: write        # This is required for requesting the OIDC JWT
  contents: read         # This is required for actions/checkout
  security-events: write # This is required for the docker-scan action

jobs:
  docker-vulnerability-scan-k8s:
    runs-on: ubuntu-latest
    env:
      DOCKERFILE_PATH: "ci/Dockerfile"
      DOCKER_IMAGE: "public.ecr.aws/v6b8u5o6/notify-api"

    steps:
      - name: Configure credentials to CDS public ECR using OIDC
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          role-to-assume: arn:aws:iam::283582579564:role/notification-api-apply
          role-session-name: NotifyApiGitHubActions
          aws-region: "us-east-1"

      - name: Login to ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1
        with:
          registry-type: public

      - name: Docker vulnerability scan
        uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
        env:
          TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
        with:
          docker_image: "${{ env.DOCKER_IMAGE }}:latest"
          dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
          token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Logout of Amazon ECR
        run: docker logout ${{ steps.login-ecr.outputs.registry }}

  docker-vulnerability-scan-lambda:
    runs-on: ubuntu-latest
    env:
      DOCKERFILE_PATH: "ci/Dockerfile.lambda"
      DOCKER_IMAGE: "${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify/api-lambda"

    steps:
      - name: Configure credentials to Notify account using OIDC
        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
        with:
          role-to-assume: arn:aws:iam::${{ secrets.PRODUCTION_API_LAMBDA_ECR_ACCOUNT }}:role/notification-api-apply
          role-session-name: NotifyApiGitHubActions
          aws-region: "ca-central-1"

      - name: Get latest Docker image tag
        run: |
          IMAGE_TAG="$(aws ecr describe-images --output json --repository-name notify/api-lambda --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | jq . --raw-output)"
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV

      - name: Login to ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1

      - name: Docker vulnerability scan
        uses: cds-snc/security-tools/.github/actions/docker-scan@34794baf2af592913bb5b51d8df4f8d0acc49b6f # v3.2.0
        env:
          TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
        with:
          docker_image: "${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}"
          dockerfile_path: "${{ env.DOCKERFILE_PATH }}"
          token: "${{ secrets.GITHUB_TOKEN }}"

      - name: Logout of Amazon ECR
        run: docker logout ${{ steps.login-ecr.outputs.registry }}