Contains reusable GitHub Actions workflow to generate container image SBOM using Amazon Inspector SBOM Generator and scan it using Amazon Inspector Scan API.

Resulting vulnerability report is validated against specified threshold.

Docker image name. Default "test/dev".

Relative path to docker file. Default ".".

Dockerfile name. Default "Dockerfile".

Assume role to execute scan using Amazon Inspector scan API.

Region to execute scan using Amazon Inspector scan API. Default "us-east-1".

Endpoint to execute scan using Amazon Inspector scan API. Default "https://inspector-scan.us-east-1.amazonaws.com".

Vulnerability threshold. Default "critical".

on: push: workflow_dispatch: permissions: contents: read id-token: write jobs: scan-image: uses: build-failure/amazon-inspector-vulnerability-scan/.github/workflows/amazon-inspector-image-scan.yml@v1 with: docker-image-name: test/dev docker-context: . amazon-inspector-scan-assume-role: arn:aws:iam::<ACCOUNT_ID>:role/<ASSUME_ROLE_NAME> amazon-inspector-scan-region: us-east-1 amazon-inspector-scan-endpoint: https://inspector-scan.us-east-1.amazonaws.com threshold: critical