-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathcheck_ecr_image_scan_results.sh
More file actions
executable file
·75 lines (62 loc) · 2.32 KB
/
check_ecr_image_scan_results.sh
File metadata and controls
executable file
·75 lines (62 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env bash
set -e
if [ -z "${REPOSITORY_NAME}" ]; then
echo "REPOSITORY_NAME not set"
exit 1
fi
if [ -z "${IMAGE_TAG}" ]; then
echo "IMAGE_TAG not set"
exit 1
fi
function wait_for_scan() {
echo "Giving some time for scan to begin..."
sleep 3
while [[ $(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}" | jq -r .imageScanStatus.status) != "COMPLETE" ]];do
echo "SCAN IS NOT YET COMPLETE..."
sleep 3
done
echo "Final sleep to ensure suppressions are applied correctly"
sleep 5
}
function check_for_high_critical_vuln() {
scan_results=$(aws ecr describe-image-scan-findings --repository-name "${REPOSITORY_NAME}" --image-id imageTag="${IMAGE_TAG}")
high=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "HIGH" and .status != "SUPPRESSED")')
critical=$(echo "$scan_results" | jq '.imageScanFindings.enhancedFindings[]? | select(.severity == "CRITICAL" and .status != "SUPPRESSED")')
}
function return_scan_results() {
echo "=== BEGIN IMAGE SCAN RESULTS ==="
echo "$scan_results"
echo "=== END IMAGE SCAN RESULTS ==="
}
function return_error() {
echo -e "\n**********************************************************"
echo "**********************************************************"
echo "**********************************************************"
echo "ERROR: There are CRITICAL/HIGH vulnerabilities. Stopping build."
echo "**********************************************************"
echo "**********************************************************"
echo "**********************************************************"
exit 2
}
function analyze_scan_results() {
if [[ -n "$critical" ]]; then
echo "ERROR: There are CRITICAL vulnerabilities. Stopping build."
echo "=== BEGIN CRITICAL IMAGE SCAN RESULTS ==="
echo "$critical"
echo "=== END CRITICAL IMAGE SCAN RESULTS ==="
return_scan_results
return_error
elif [[ -n "$high" ]]; then
echo "ERROR: There are HIGH vulnerabilities. Stopping build."
echo "=== BEGIN HIGH IMAGE SCAN RESULTS ==="
echo "$high"
echo "=== END HIGH IMAGE SCAN RESULTS ==="
return_scan_results
return_error
else
return_scan_results
fi
}
wait_for_scan
check_for_high_critical_vuln
analyze_scan_results