Add image scan to pr-build and main-build workflows #239
Conversation
…bservability/aws-otel-dotnet-instrumentation into add-image-scan-pr-workflow
There was a problem hiding this comment.
We need to run image scan in release build too: https://github.com/search?q=repo%3Aaws-observability%2Faws-otel-python-instrumentation%20artifacts_build&type=code
| @@ -37,3 +37,5 @@ runs: | |||
| image-ref: ${{ inputs.image-ref }} | |||
| severity: ${{ inputs.severity }} | |||
| exit-code: '1' | |||
| skip-dirs: '/usr/share/dotnet,/usr/share/powershell' | |||
| skip-files: '*.deps.json' | |||
There was a problem hiding this comment.
This seems broad, why are we sure this is ok?
| @@ -93,10 +93,19 @@ jobs: | |||
| - name: Build in Docker container | |||
| run: | | |||
| set -e | |||
| docker build -t mybuildimage -f "./docker/alpine.dockerfile" ./docker | |||
| docker run --rm --mount type=bind,source="${GITHUB_WORKSPACE}",target=/project mybuildimage \ | |||
| IMAGE_NAME=main-build/dotnet-$(dotnet --version) | |||
There was a problem hiding this comment.
Hm in other languages we:
a) Name the image differently (${{ env.STAGING_ECR_REGISTRY }}/${{ env.STAGING_ECR_REPOSITORY }}:$pkg_version-$shortsha" ) - https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/.github/workflows/main-build.yml#L50
b) use the image in application-signals-e2e-test - https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/.github/workflows/main-build.yml#L111
Thoughts
a) seems somewhat minor, but maybe align for parity
b) is much more concerning. Are we even running E2E tests on the build artifact?
liustve
force-pushed
the
add-image-scan-pr-workflow
branch
from
5cb89fd to
8e968a6
Compare
Description of changes:
Adds scanning to the ADOT Docker image created in build-x64-musl and build-arm-musl steps.
Adds a few exclusions to the
image_scanaction for dependencies and tools used to build the local ADOT image. These dependencies are only present in the PR and Main build workflows, so only the actual local ADOT image that we will eventually release is scanned, and not the SDKs and tools used to build the image itself. This parities with the existingdaily_scanworkflow, which only scans the public ADOT ECR image that is published.Rename the local images built to reflect a more accurate name for the Docker image.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.