Add support to enable ECR image scan (#8)

seek-oss · Nov 14, 2019 · 67551e9 · 67551e9
1 parent 116a092
commit 67551e9
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -37,6 +37,12 @@ steps:
 
   Name of the ECR repository.
 
+- `scan-on-push` (optional, boolean)
+
+  Whether to [automatically scan images](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-repository) pushed to the ECR repository for vulnerabilities.
+
+  Omitting this option will leave the existing image scanning configuration untouched.
+
 - `repository-policy` (optional, string)
 
   Path in local repository to the repository policy file.

diff --git a/hooks/pre-command b/hooks/pre-command
@@ -13,7 +13,7 @@ ecr_exists() {
     --query 'repositories[0].registryId'
 }
 
-upsert_ecr() {
+upsert_ecr() { 
   local repository_name="${1}"
 
   if ! ecr_exists "${repository_name}"; then
@@ -37,6 +37,20 @@ upsert_ecr() {
   aws ecr put-lifecycle-policy \
   --repository-name "${repository_name}" \
   --lifecycle-policy-text "file://${lifecycle_policy_file}"
+
+  if [[ "${BUILDKITE_PLUGIN_CREATE_ECR_SCAN_ON_PUSH:-}" =~ ^(true|on|1)$ ]]; then
+    echo '--- Setting ECR image scanning configuration as enabled'
+    aws ecr put-image-scanning-configuration \
+      --repository-name "${repository_name}" \
+      --image-scanning-configuration \
+      scanOnPush=true
+  elif [[ "${BUILDKITE_PLUGIN_CREATE_ECR_SCAN_ON_PUSH:-}" =~ ^(false|off|0)$ ]]; then
+    echo '--- Setting ECR image scanning configuration as disabled'
+    aws ecr put-image-scanning-configuration \
+      --repository-name "${repository_name}" \
+      --image-scanning-configuration \
+      scanOnPush=false
+  fi
 }
 
 if [[ -z ${BUILDKITE_PLUGIN_CREATE_ECR_NAME:-} ]]; then

diff --git a/plugin.yml b/plugin.yml
@@ -9,6 +9,8 @@ configuration:
       type: string
     name:
       type: string
+    scan-on-push:
+      type: boolean
     repository-policy:
       type: string
   required: ['name']