Skip to content

Twistlock

Twistlock #2332

Workflow file for this run

name: Twistlock
on:
workflow_dispatch:
inputs:
image-tag:
required: true
type: string
jobs:
twistlock-scan:
runs-on: ${{ vars.RUNS_ON }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Configure VAEC AWS Credentials
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
role-skip-session-tagging: true
role-duration-seconds: 900
- name: Login to VAEC ECR
id: login-ecr-vaec
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'
- name: Perform twistlock scan
env:
ECR_REGISTRY: ${{ steps.login-ecr-vaec.outputs.registry }}
IMAGE_REPOSITORY: "notification_api"
IMAGE_TAG: "${{ inputs.image-tag }}"
uses: ./.github/actions/run-commands-on-ec2
with:
instance-id-ssm-parameter-path: /utility/twistlock/instance
commands: >-
"aws --region us-gov-west-1 ecr get-login-password | docker login --username AWS --password-stdin '"$ECR_REGISTRY"' 2>/dev/null",
"docker pull '"$ECR_REGISTRY"'/'"$IMAGE_REPOSITORY"':'"$IMAGE_TAG"' 1>/dev/null",
"docker logout '"$ECR_REGISTRY"'",
"export TWISTLOCK_PASSWORD=$(aws --region us-gov-west-1 ssm get-parameter --name /utility/twistlock/vanotify-ci-user-password --with-decryption | jq '.Parameter.Value' -r)",
"twistcli images scan --project vanotify --address https://twistlock.devops.va.gov --user vanotify-ci-user '"$ECR_REGISTRY"'/'"$IMAGE_REPOSITORY"':'"$IMAGE_TAG"'",
"STATUS_CODE=$?",
"docker image prune -a -f 1>/dev/null",
"exit $STATUS_CODE"