AWS introduced a scanning policy for ECR.
You can find that feature here AWS ACCOUNT-> ECS->REPOSITORIES- PRIVATE REGISTRY SCANNING

The old one scan on push depracated

We had been rolling out use of this action in a redesign of our pipelines, where it had been working fine for several weeks. After enabling Inspector v2 this past week, the next run of the pipeline complained about missing permissions:

User: arn:aws:sts::***:assumed-role/${role_name}/${instance_id} is not authorized to perform: inspector2:ListFindings on resource: arn:aws:inspector2:${region}:***:/findings/list

After granting the above action, I began receiving only Error: An internal server error has occured with no additional logs. I assumed an unhandled error for a missing inspector2:GetFindingsReportStatus was being swallowed, but even after granting that action to *, I still only received the server error message. None of the existing ECR permissions were modified, so it seems like AWS may have unintentionally broken API compatibility.

I think that when a CVE on your ignore list is no longer present on the image it should not fail (or be configurable to not fail). I think a warning would be more appropriate.

Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.

I have a scan that is currently failing when it should not. You can see in the output below that it is correctly acknowledging that the vulnerabilities are ignored, however it fails because of a severity high. I don't know for certain, but I think this might be caused by a mismatch in how ECR classifies the vulnerability versus https://security-tracker.debian.org/tracker/CVE-2022-1292.
AWS has it as critical where as debian.org has it listed as high

Vulnerabilities found:
  1 Critical (1 ignored)
  2 High (2 ignored)
  6 Medium 
  5 Low 
 32 Informational 
  6 Undefined 
=================
 52 Total (3 ignored)
Error: Detected 1 vulnerabilities with severity >= high (the currently configured fail_threshold).

Using this action in a corporate environment that mandates an HTTP proxy is currently not possible. Both from an action build and making the ECR.* calls perspective.

See below for a build error example:

Build container for action use: '/runner/_work/_actions/alexjurkiewicz/ecr-scan-image/v1.5.0/Dockerfile'.
  /usr/local/bin/docker build -t 60e226:38f07414663140b39b81e3849026b1d6 -f "/runner/_work/_actions/alexjurkiewicz/ecr-scan-image/v1.5.0/Dockerfile" "/runner/_work/_actions/alexjurkiewicz/ecr-scan-image/v1.5.0"
  Sending build context to Docker daemon  17.92kB
  
  Step 1/5 : FROM node:12-alpine as builder
  12-alpine: Pulling from library/node
  ddad3d7c1e96: Pulling fs layer
  3a8370f05d5d: Pulling fs layer
  71a8563b7fea: Pulling fs layer
  119c7e14957d: Pulling fs layer
  119c7e14957d: Waiting
  ddad3d7c1e96: Verifying Checksum
  ddad3d7c1e96: Download complete
  71a8563b7fea: Verifying Checksum
  71a8563b7fea: Download complete
  3a8370f05d5d: Verifying Checksum
  3a8370f05d5d: Download complete
  ddad3d7c1e96: Pull complete
  119c7e14957d: Verifying Checksum
  119c7e14957d: Download complete
  3a8370f05d5d: Pull complete
  71a8563b7fea: Pull complete
  119c7e14957d: Pull complete
  Digest: sha256:9923c9efb13cf7535f67e49b03010f0977a800068e4c8e0e2c93433a6bfa1e77
  Status: Downloaded newer image for node:12-alpine
   ---> deeae3752431
  Step 2/5 : COPY package.json package-lock.json /
   ---> 1e3fc88a0051
  Step 3/5 : RUN npm install
   ---> Running in 9fed180666ba
  npm ERR! code ETIMEDOUT
  npm ERR! errno ETIMEDOUT
  npm ERR! network request to registry.npmjs.org/events/-/events-1.1.1.tgz failed, reason: connect ETIMEDOUT 104.16.19.35:443
  npm ERR! network This is a problem related to network connectivity.
  npm ERR! network In most cases you are behind a proxy or have bad network settings.
  npm ERR! network 
  npm ERR! network If you are behind a proxy, please make sure that the
  npm ERR! network 'proxy' config is set properly.  See: 'npm help config'
  
  npm ERR! A complete log of this run can be found in:
  npm ERR!     /root/.npm/_logs/2021-05-17T12_11_52_408Z-debug.log
  The command '/bin/sh -c npm install' returned a non-zero code: 1

Ideally, we could use a pre-built image that doesn't require a npm install and the ECR.* calls supported using a HTTP proxy.

probably a misusage of .tostring() instead of JSON.stringify().

Github Actions is deprecating the use of set-output and save-state. More details https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/. On running the action we currently get the following warning: The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files.

The actions version needs to be upgraded to v1.10.0 or higher to fix

Hi,

I am new using this action, it looks it does not support the OCI image manifest:

Requesting image scan
Error: An artifact with media type 'application/vnd.oci.image.index.v1+json' cannot be scanned. For more information, see the Amazon ECR documentation.

I am adding this issue in case anyone encounters the same.

Hi,
We recently started observing the polling ECR for image scan findings taking too long(around 20 mins and sometimes it never ends). is it possible to update the AWS sdk and release new version.
Thanks
Parasappa

Hey there,
I'm getting warnings regarding deprecated output in this action. From what I've noticed you're using an inferior version @actions/core from the toolkit, starting by version @actions/core v1.10.0 or greater they are replacing the old output method.
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Will this action be updated soon with this?

I am using this format to tag my image $(date +%Y%m%d)-${{ github.run_number }}, it's not an acceptable format as I get this error:

Error: Invalid parameter at 'imageTag' failed to satisfy constraint: 'must satisfy regular expression '[a-zA-Z0-9-_.]+''

Kindly assist

When using AWS Federation, the AWS_WEB_IDENTITY_TOKEN_FILE is set (and no AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY is used).

GHA:

# https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1

# https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
- name: Build, tag, and push image to Amazon ECR
  env:
    # Static
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    IMAGE_TAG: ${{ github.sha }}
  run: |
    docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG docker/
    docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

# https://github.com/marketplace/actions/aws-ecr-scan-docker-image
- name: Scan Docker image
  id: docker-scan
  uses: alexjurkiewicz/[email protected]
  env:
    # Static
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    IMAGE_TAG: ${{ github.sha }}
  with:
    repository: $ECR_REGISTRY/$ECR_REPOSITORY
    tag: $IMAGE_TAG
    fail_threshold: high

Both the login and the build&push succeed, but the scan fails with:

Error: Missing credentials in config

Any idea why this might fail?

Thanks in advance!

Hi Alex,

Still working on resolving issues we have while using this action.

The latest is it doesn't seem to cater for the fact that automatic vulnerability scans can be enabled on ECR.
Meaning, when we push a (large) image to ECR and have automatic scans enabled, the action fails with Cannot read property 'findingSeverityCounts' of undefined because finding returns with

findings: {
  ...
  imageScanStatus: {
    status: "IN_PROGRESS"
  }
}

And it will never enter the polling stage because findings are not null.

I am in the process of changing the code slightly to check if the scan is already in progress by the time it checks if it needs to poll or not. Will let you know how I go shortly.

Furthermore, we try to give the ECR IAM user the least amount of permissions and therefore don't want to allow startImageScan. My suggestion (and what I am currently working on) is to add an extra backwards compatible flag to enable opting out of starting the image scan.

Let me know your thoughts on the above and I am happy to PR changes.

Cheers
Patrik

The gist of the issue is the response from ECR for enhanced scanning is different from the basic scanning which causes the action to fail.

Our ECR settings is registry wide and is set here: Private Registry > Settings > Scanning > Enhanced Scanning > Continuous scanning.

I have tested by switching to the basic scanning, and the action works as intended, but fails with enhanced scanning.

I've done some digging and here are the differences between basic scans and the continuous enhanced scans:

1. The status of the scan is shown as ACTIVE which causes the action to fail because of this check:

  if (status !== 'COMPLETE') {
    throw new Error(`Unhandled scan status "${status}". API response: ${JSON.stringify(findings)}`)
  }

which gives this error:

Error: Unhandled scan status "ACTIVE". API response: {"registryId":"***","repositoryName":"***","imageId":{"imageDigest":"sha256:***","imageTag":"***"},"imageScanStatus":{"status":"ACTIVE","description":"Continuous scan is selected for image."}...

2. The response JSON from ECR has different properties with enhanced scanning. The code is looking for the property findings within imageScanFindings. However, that property changes to enhancedFindings like so:

"imageScanFindings": {
      "imageScanCompletedAt": "2024-02-12T20:25:09.451Z",
      "vulnerabilitySourceUpdatedAt": "2024-02-12T20:25:09.451Z",
      "findingSeverityCounts": {
          "HIGH": 3,
          "MEDIUM": 3,
          "LOW": 1
      },
      "enhancedFindings": [
          {
              "awsAccountId": "***",...

3. The CVE names are in a different location as well so that messes up the ignored CVE list. They are no longer imageScanFindings.findings.[].name. They are in imageScanFindings.enhancedFindings.[].packageVulnerabilityDetails.vulnerabilityId.

"imageScanFindings": {
        ...
        "enhancedFindings": [
            {
                ...
                "packageVulnerabilityDetails": {
                    ...
                    "vulnerabilityId": "CVE-2023-51651",

4. Findings details is also different. These were in imageScanFindings.findings.[].attributes. They are now in imageScanFindings.enhancedFindings.[].packageVulnerabilityDetails.vulnerablePackages and imageScanFindings.enhancedFindings.[].packageVulnerabilityDetails.cvss.

Hi Alex,

As we are continuing to work with ECR vulnerability scanning, we came across some vulnerabilities (incl. false positives) we cannot fix but also won't impact the security of our image as we wouldn't be using that certain feature (e.g. docker-library/wordpress#472).

Given this, we are thinking of implementing an allow-list feature, where we can maintain an array of references to vulnerabilities we want to ignore in the counts.

Is that something you have considered yourself in the past maybe? Would you be interested in accepting a PR for it in the near future?

Cheers
Patrik

Thanks for your work on this Github Action, Alex.

I'd like to fork your repo, but to do so legally, I believe an appropriate license needs to be in place on this repo.

Would you be willing to add a LICENSE for this repo so that I can do that? Preferably an MIT

Greetings,

I am using this action in order to initiate scans in my ECR repositories. Since the 24th of January whenever I try to use the action to initialise the scan I get this error.

I leave no ways to reproduce because the parameters do not matter any way I run it I get this error.