Docker Maven Build and Push Docker Image to MDACA ECR

Update ci.yaml #47

Summary
Jobs
- build
- security
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Docker Maven Build and Push Docker Image to MDACA ECR

	on:
	push:
	branches:
	- mdaca-3.0.1

	jobs:
	build:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build and Push Docker Image
	env:
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	CODEARTIFACT_DOMAIN: ${{ secrets.CODEARTIFACT_DOMAIN }}
	run: \|
	# Set AWS credentials for ECR and CodeArtifact
	aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
	aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
	aws configure set default.region $AWS_REGION

	echo "Running Maven Build"
	CODEARTIFACT_TOKEN_FILE=${{ github.workspace }}/codeartifact-auth

	# Fetch CodeArtifact authorization token
	aws codeartifact get-authorization-token \
	--domain $CODEARTIFACT_DOMAIN \
	--domain-owner $AWS_ACCOUNT_ID \
	--region $AWS_REGION \
	--query authorizationToken \
	--output text > $CODEARTIFACT_TOKEN_FILE

	export CODEARTIFACT_AUTH_TOKEN=$(cat $CODEARTIFACT_TOKEN_FILE)
	echo "$CODEARTIFACT_AUTH_TOKEN"

	# Login to ECR
	aws ecr get-login-password --region $AWS_REGION \| docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

	REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

	# Build the Docker image
	docker build --build-arg CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN -f Dockerfile-mvn-no-local -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .

	# Push the Docker image to ECR
	docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

	# Tag the image as 'latest'
	docker tag $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $REGISTRY/$ECR_REPOSITORY:latest

	# Push the 'latest' tag to ECR
	docker push $REGISTRY/$ECR_REPOSITORY:latest


	security:
	runs-on: ubuntu-latest
	needs: build

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3


	- name: Download Docker Image from ECR
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	run: \|
	# Set ENV for AW Cred
	aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
	aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
	aws configure set default.region $AWS_REGION

	# Get token from ECR and Docker login
	aws ecr get-login-password --region $AWS_REGION \| docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com
	IMAGE_TAG=3.0.1

	docker pull ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
	docker images
	- name: Install Trivy
	run: \|
	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| sudo sh -s -- -b /usr/local/bin

	- name: Scan Docker Image with Trivy
	env:
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi

	run: \|
	trivy image --severity HIGH,CRITICAL $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
	trivy image --format json $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-Webapi.json
	jq -r '.Results[] \| select(.Vulnerabilities != null) \| .Vulnerabilities[] \| [.SeveritySource, .VulnerabilityID, .PkgName, .PkgPath, .InstalledVersion, .FixedVersion, .Status, .Severity] \| @csv' OHDSI-Webapi.json > OHDSI-Webapi-Trivy.csv
	- name: Install Syft
	run: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sudo sh -s -- -b /usr/local/bin

	- name: Generate SBOM with Syft
	env:
	AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
	AWS_REGION: ${{ secrets.AWS_REGION }}
	IMAGE_TAG: 3.0.1
	ECR_REPOSITORY: mdaca/ohdsi/webapi
	run: \|
	syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG
	syft $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ECR_REPOSITORY:$IMAGE_TAG > OHDSI-WEBAPI-sbom.tf

	- name: Upload Reports
	uses: actions/upload-artifact@v4
	with:
	name: trivy-and-sbom-reports
	path: \|
	OHDSI-Webapi-Trivy.csv
	OHDSI-Webapi-sbom.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update ci.yaml #47

Workflow file

Update ci.yaml #47

Jobs

Run details

Workflow file for this run