Add retry loop for image scan (#117)

* add debug to image scan * adapt workflow_branch * adapt workflow_branch * fix remaining branch references * add retry loop for image-scan * revert branches * Update .github/actions/get-ecr-scan-result/action.yml Co-authored-by: Michael Pühringer <[email protected]> * Update .github/actions/get-ecr-scan-result/action.yml --------- Co-authored-by: Viktor Delev <[email protected]> Co-authored-by: Michael Pühringer <[email protected]>
datavisyn · Nov 13, 2024 · 46cc7aa · 46cc7aa
1 parent d8089a8
commit 46cc7aa
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/.github/actions/get-ecr-scan-result/action.yml b/.github/actions/get-ecr-scan-result/action.yml
@@ -53,8 +53,18 @@ runs:
     - name: Get AWS ECR Scan results
       id: get-scan-results
       run: |
-        aws ecr wait image-scan-complete --repository-name $ECR_REPOSITORY --image-id imageTag=$IMAGE_TAG
-        if [ $(echo $?) -eq 0 ]; then
+        # As the image scan itself may not be started yet, we have to wait (and retry) until it is actually available
+        max_retries=5
+        retries=0
+        scan_complete=1
+        until [ $retries -eq $max_retries ]; do
+            aws ecr wait image-scan-complete --repository-name $ECR_REPOSITORY --image-id imageTag=$IMAGE_TAG && scan_complete=0 && break
+            sleep 5
+            retries=$((retries + 1))
+            echo "Retry $retries/$max_retries: Waiting for image scan to start..."
+        done
+
+        if [ $scan_complete -eq 0 ]; then
           scan_findings=$(aws ecr describe-image-scan-findings --repository-name $ECR_REPOSITORY --image-id imageTag=$IMAGE_TAG | jq '.imageScanFindings.findingSeverityCounts')
           critical=$(echo $scan_findings | jq '.CRITICAL')
           high=$(echo $scan_findings | jq '.HIGH')