Contains reusable GitHub Actions workflow to generate container image SBOM using Amazon Inspector SBOM Generator and scan it using Amazon Inspector Scan API.
Resulting vulnerability report is validated against specified threshold.
Docker image name. Default "test/dev".
Relative path to docker file. Default ".".
Dockerfile name. Default "Dockerfile".
Assume role to execute scan using Amazon Inspector scan API.
Region to execute scan using Amazon Inspector scan API.
Default "us-east-1".
Endpoint
to execute scan using Amazon Inspector scan API.
Default "https://inspector-scan.us-east-1.amazonaws.com".
Vulnerability threshold. Default "critical".
on:
push:
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
scan-image:
uses: build-failure/amazon-inspector-vulnerability-scan/.github/workflows/amazon-inspector-image-scan.yml@v1
with:
docker-image-name: test/dev
docker-context: .
amazon-inspector-scan-assume-role: arn:aws:iam::<ACCOUNT_ID>:role/<ASSUME_ROLE_NAME>
amazon-inspector-scan-region: us-east-1
amazon-inspector-scan-endpoint: https://inspector-scan.us-east-1.amazonaws.com
threshold: critical