From 67551e9e9df1f97b440bf904423f720e6b658618 Mon Sep 17 00:00:00 2001
From: hari2192 <hari2192@gmail.com>
Date: Thu, 14 Nov 2019 11:20:59 +1100
Subject: [PATCH] Add support to enable ECR image scan (#8)

---
 README.md         |  6 ++++++
 hooks/pre-command | 16 +++++++++++++++-
 plugin.yml        |  2 ++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ea0cfca..577aec5 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,12 @@ steps:
 
   Name of the ECR repository.
 
+- `scan-on-push` (optional, boolean)
+
+  Whether to [automatically scan images](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#scanning-repository) pushed to the ECR repository for vulnerabilities.
+  
+  Omitting this option will leave the existing image scanning configuration untouched.
+
 - `repository-policy` (optional, string)
 
   Path in local repository to the repository policy file.
diff --git a/hooks/pre-command b/hooks/pre-command
index 82fcf54..cb4f60a 100644
--- a/hooks/pre-command
+++ b/hooks/pre-command
@@ -13,7 +13,7 @@ ecr_exists() {
     --query 'repositories[0].registryId'
 }
 
-upsert_ecr() {
+upsert_ecr() { 
   local repository_name="${1}"
 
   if ! ecr_exists "${repository_name}"; then
@@ -37,6 +37,20 @@ upsert_ecr() {
   aws ecr put-lifecycle-policy \
   --repository-name "${repository_name}" \
   --lifecycle-policy-text "file://${lifecycle_policy_file}"
+
+  if [[ "${BUILDKITE_PLUGIN_CREATE_ECR_SCAN_ON_PUSH:-}" =~ ^(true|on|1)$ ]]; then
+    echo '--- Setting ECR image scanning configuration as enabled'
+    aws ecr put-image-scanning-configuration \
+      --repository-name "${repository_name}" \
+      --image-scanning-configuration \
+      scanOnPush=true
+  elif [[ "${BUILDKITE_PLUGIN_CREATE_ECR_SCAN_ON_PUSH:-}" =~ ^(false|off|0)$ ]]; then
+    echo '--- Setting ECR image scanning configuration as disabled'
+    aws ecr put-image-scanning-configuration \
+      --repository-name "${repository_name}" \
+      --image-scanning-configuration \
+      scanOnPush=false
+  fi
 }
 
 if [[ -z ${BUILDKITE_PLUGIN_CREATE_ECR_NAME:-} ]]; then
diff --git a/plugin.yml b/plugin.yml
index 5fe2dd4..dd521f6 100644
--- a/plugin.yml
+++ b/plugin.yml
@@ -9,6 +9,8 @@ configuration:
       type: string
     name:
       type: string
+    scan-on-push:
+      type: boolean
     repository-policy:
       type: string
   required: ['name']