synced with discoveryedu action w/ burnettk

.github/workflows/test_ecr_scan.yml

@@ -0,0 +1,53 @@
+name: "ECR Scan and Retrieve SARIF Report"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  ecr-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # - name: Run ECR Scan and Get SARIF Report
+      #   uses: sartography/github-actions-library/wait-for-ecr-scan-and-get-sarif@main
+      #   with:
+      #     repository_name: "infr/testcloud2202"
+      #     image_tag: "main"
+      #     aws_region: "us-east-2"
+      #     output_file: "report.sarif"
+
+      - name: Set up Python 3.12
+        uses: actions/[email protected]
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        shell: bash
+        run: |
+          pip install -r wait-for-ecr-scan-and-get-sarif/requirements.txt
+
+      - name: Run the Python script to convert ECR scan to SARIF
+        shell: bash
+        run: |
+          python wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py \
+            --input_file wait-for-ecr-scan-and-get-sarif/tests/ecr-scan-result-ubuntu.json \
+            --output_file report.sarif
+
+      - name: Upload SARIF report as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-report
+          path: report.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: report.sarif
+          category: security

wait-for-ecr-scan-and-get-sarif/action.yml

@@ -31,12 +31,12 @@ runs:
     - name: Install dependencies
       shell: bash
       run: |
-        pip install -r wait-for-ecr-scan-and-get-sarif/requirements.txt
+        pip install -r ${{ github.action_path }}/requirements.txt
 
     - name: Run the Python script to wait for ECR scan and get SARIF
       shell: bash
       run: |
-        python wait-for-ecr-scan-and-get-sarif/wait_for_ecr_scan_and_get_sarif.py \
+        python ${{ github.action_path }}/wait_for_ecr_scan_and_get_sarif.py \
           --repository_name ${{ inputs.repository_name }} \
           --image_tag ${{ inputs.image_tag }} \
           --aws_region ${{ inputs.aws_region }} \

wait-for-ecr-scan-and-get-sarif/pylib/aws_scan_findings_to_sarif.py

@@ -69,6 +69,13 @@ def process_findings(findings, is_enhanced=False):
                 severity_for_level = severity_map.get(
                     severity_for_level.lower(), "none"
                 )
+            properties: dict = {
+                "tags": [
+                    "vulnerability",
+                    "security",
+                    severity,
+                ],
+            }
 
             vulnerability_name = finding.get("type", "Unknown")
             short_description = finding.get("title", finding["description"])
@@ -83,13 +90,6 @@ def process_findings(findings, is_enhanced=False):
                 ]
                 cvss = finding["packageVulnerabilityDetails"]["cvss"]
                 base_score = None
-                properties: dict = {
-                    "tags": [
-                        "vulnerability",
-                        "security",
-                        severity,
-                    ],
-                }
                 if len(cvss) > 0:
                     base_score = cvss[0]["baseScore"]
                     if base_score is not None:
@@ -132,9 +132,6 @@ def process_findings(findings, is_enhanced=False):
                     ],
                 }
             else:
-                properties = {
-                    "tags": ["vulnerability", "security", severity],
-                }
                 base_score = next(
                     (
                         i["value"]