内容
アップデートの内容に記事は以下の通り。
- ECRBuildAndPublish アクション
- Docker イメージを簡単に作成して、パイプライン実行の一部として ECR にパブリッシュ可能
- InspectorScan アクション
- パイプライン実行の一部としてソースコードリポジトリ(SourceCodeScan)または Docker イメージをスキャン(ECRImageScan)が可能
最終的なイメージ
今回はシンプルに、GitHub から、ECRBuildAndPublish アクション と InspectorScan アクション のみ実行します。デプロイまでは行いません。
ECRBuildAndPublish
以前
以前は ↓ のような buildspec.yaml を書き CodeBuild プロジェクトを準備する必要があった。
buildspec.yaml
version: 0.2
phases:
pre_build:
commands:
- echo Logging in to Amazon ECR...
- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
build:
commands:
- echo Build started on `date`
- echo Building the Docker image...
- docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG .
- docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
post_build:
commands:
- echo Build completed on `date`
- echo Pushing the Docker image...
- docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
今回
ビルドステージで、AWS ECRBuildAndPublish を選択し必要な項目を選択するだけ。
Build ログ
[Container] 2025/02/04 13:37:05.427395 Running on CodeBuild On-demand
[Container] 2025/02/04 13:37:05.427416 Waiting for agent ping
[Container] 2025/02/04 13:37:05.628955 Waiting for DOWNLOAD_SOURCE
[Container] 2025/02/04 13:37:07.577435 Phase is DOWNLOAD_SOURCE
[Container] 2025/02/04 13:37:07.628963 CODEBUILD_SRC_DIR=/codebuild/output/src738611775/src
[Container] 2025/02/04 13:37:07.629540 YAML location is /codebuild/readonly/buildspec.yml
[Container] 2025/02/04 13:37:07.632203 Setting HTTP client timeout to higher timeout for S3 source
[Container] 2025/02/04 13:37:07.632319 Processing environment variables
[Container] 2025/02/04 13:37:07.887584 No runtime version selected in buildspec.
[Container] 2025/02/04 13:37:07.953650 Moving to directory /codebuild/output/src738611775/src
[Container] 2025/02/04 13:37:07.959214 Unable to initialize cache download: no paths specified to be cached
[Container] 2025/02/04 13:37:08.067010 Configuring ssm agent with target id: codebuild:a318c0d5-de5c-428f-8346-33850f0071a7
[Container] 2025/02/04 13:37:08.130388 Successfully updated ssm agent configuration
[Container] 2025/02/04 13:37:08.130810 Registering with agent
[Container] 2025/02/04 13:37:08.185736 Phases found in YAML: 1
[Container] 2025/02/04 13:37:08.185756 BUILD: 7 commands
[Container] 2025/02/04 13:37:08.185977 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2025/02/04 13:37:08.185991 Phase context status code: Message:
[Container] 2025/02/04 13:37:08.289062 Entering phase INSTALL
[Container] 2025/02/04 13:37:08.434427 Phase complete: INSTALL State: SUCCEEDED
[Container] 2025/02/04 13:37:08.434454 Phase context status code: Message:
[Container] 2025/02/04 13:37:08.487160 Entering phase PRE_BUILD
[Container] 2025/02/04 13:37:08.527363 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2025/02/04 13:37:08.527382 Phase context status code: Message:
[Container] 2025/02/04 13:37:08.585125 Entering phase BUILD
[Container] 2025/02/04 13:37:08.641619 Running command mkdir -p /tmp/cp-action-source
[Container] 2025/02/04 13:37:08.651812 Running command export CODEPIPELINE_INPUT_ACTION_SOURCE_PATH=/tmp/cp-action-source
[Container] 2025/02/04 13:37:08.664659 Running command curl "https://d33ue1ndcnyy34.cloudfront.net/build-ecrbuildandpublish-aws-1/0.1.0.tgz" -o /tmp/cp-action-source/action-archive.tgz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 164k 100 164k 0 0 1192k 0 --:--:-- --:--:-- --:--:-- 1198k
[Container] 2025/02/04 13:37:10.074559 Running command tar -xvzf /tmp/cp-action-source/action-archive.tgz --strip-components=1 -C /tmp/cp-action-source
package/dist/index.js
package/dist/validationUtils.js
package/package.json
package/dist/index.d.ts.map
package/dist/index.js.map
package/dist/validationUtils.d.ts.map
package/dist/validationUtils.js.map
package/dist/index.d.ts
package/dist/validationUtils.d.ts
[Container] 2025/02/04 13:37:10.245249 Running command node $CODEPIPELINE_INPUT_ACTION_SOURCE_PATH/dist/index.js
ECR Build and publish image started for repository app-chatbot with Dockerfile in app-chatbot/ path with tags latest
Running command: aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Docker authenticated.
Running command: docker build -t app-chatbot app-chatbot/
#0 building with "default" instance using docker driver
#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 179B done
#1 DONE 0.1s
#2 [internal] load metadata for docker.io/library/python:3.9
#2 DONE 2.2s
#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s
#4 [internal] load build context
#4 transferring context: 6.25kB done
#4 DONE 0.0s
#5 [1/5] FROM docker.io/library/python:3.9@sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9
#5 resolve docker.io/library/python:3.9@sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9 0.0s done
#5 sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9 10.35kB / 10.35kB done
#5 sha256:bb95474bc3b1ef114639adfd09dca4320e51b3bc00df4b1cc2b660214b051f4e 6.17kB / 6.17kB done
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 0B / 48.48MB 0.1s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 0B / 24.06MB 0.1s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 0B / 64.39MB 0.1s
#5 sha256:120d5f9b020ee2ff81affc4943590ae8a295c726d6b85d1ab5b9c7a2fce1f753 2.32kB / 2.32kB done
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 26.21MB / 48.48MB 0.4s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 2.10MB / 24.06MB 0.4s
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 45.09MB / 48.48MB 0.5s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 7.34MB / 24.06MB 0.5s
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 48.48MB / 48.48MB 0.7s done
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 11.53MB / 24.06MB 0.7s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 24.12MB / 64.39MB 0.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 0B / 211.33MB 0.7s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 14.68MB / 24.06MB 0.8s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 41.94MB / 64.39MB 0.8s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 17.83MB / 24.06MB 0.9s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 55.57MB / 64.39MB 0.9s
#5 extracting sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 24.06MB / 24.06MB 1.0s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 62.91MB / 64.39MB 1.0s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 16.78MB / 211.33MB 1.0s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 24.06MB / 24.06MB 1.1s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 28.31MB / 211.33MB 1.1s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 0B / 6.16MB 1.1s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 45.09MB / 211.33MB 1.3s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 64.39MB / 64.39MB 1.4s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 57.67MB / 211.33MB 1.4s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 0B / 19.84MB 1.4s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 2.10MB / 6.16MB 1.5s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 95.02MB / 211.33MB 1.7s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 6.16MB / 6.16MB 1.6s done
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 17.83MB / 19.84MB 1.7s
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 0B / 248B 1.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 106.95MB / 211.33MB 1.8s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 19.84MB / 19.84MB 1.8s
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 248B / 248B 1.8s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 118.87MB / 211.33MB 1.9s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 130.02MB / 211.33MB 2.0s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 157.29MB / 211.33MB 2.2s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 19.84MB / 19.84MB 2.1s done
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 248B / 248B 2.1s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 179.31MB / 211.33MB 2.4s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 190.84MB / 211.33MB 2.5s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 211.33MB / 211.33MB 2.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 211.33MB / 211.33MB 3.5s done
#5 extracting sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 2.8s done
#5 extracting sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108
#5 extracting sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 0.5s done
#5 extracting sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 0.1s
#5 extracting sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 2.3s done
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 5.0s
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 6.4s done
#5 extracting sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728
#5 extracting sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 0.3s done
#5 extracting sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5
#5 extracting sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 0.7s done
#5 extracting sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec
#5 extracting sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec done
#5 DONE 15.1s
#6 [2/5] WORKDIR /app
#6 DONE 1.4s
#7 [3/5] COPY requirements.txt .
#7 DONE 0.1s
#8 [4/5] RUN pip install -r requirements.txt
#8 2.614 Collecting boto3==1.36.2
#8 2.655 Downloading boto3-1.36.2-py3-none-any.whl (139 kB)
#8 2.678 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 139.2/139.2 kB 7.0 MB/s eta 0:00:00
#8 2.781 Collecting streamlit==1.41.0
#8 2.793 Downloading streamlit-1.41.0-py2.py3-none-any.whl (23.4 MB)
#8 3.270 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 23.4/23.4 MB 32.3 MB/s eta 0:00:00
#8 3.372 Collecting jmespath<2.0.0,>=0.7.1
#8 3.377 Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
#8 4.195 Collecting botocore<1.37.0,>=1.36.2
#8 4.202 Downloading botocore-1.36.12-py3-none-any.whl (13.3 MB)
#8 4.346 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.3/13.3 MB 80.4 MB/s eta 0:00:00
#8 4.432 Collecting s3transfer<0.12.0,>=0.11.0
#8 4.437 Downloading s3transfer-0.11.2-py3-none-any.whl (84 kB)
#8 4.443 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 84.2/84.2 kB 23.2 MB/s eta 0:00:00
#8 4.935 Collecting pandas<3,>=1.4.0
#8 4.979 Downloading pandas-2.2.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (13.1 MB)
#8 5.132 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.1/13.1 MB 84.2 MB/s eta 0:00:00
#8 5.640 Collecting protobuf<6,>=3.20
#8 5.659 Downloading protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (319 kB)
#8 5.674 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 319.7/319.7 kB 33.3 MB/s eta 0:00:00
#8 5.889 Collecting cachetools<6,>=4.0
#8 5.900 Downloading cachetools-5.5.1-py3-none-any.whl (9.5 kB)
#8 5.960 Collecting requests<3,>=2.27
#8 5.966 Downloading requests-2.32.3-py3-none-any.whl (64 kB)
#8 5.972 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 64.9/64.9 kB 15.0 MB/s eta 0:00:00
#8 6.186 Collecting gitpython!=3.1.19,<4,>=3.0.7
#8 6.192 Downloading GitPython-3.1.44-py3-none-any.whl (207 kB)
#8 6.199 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 207.6/207.6 kB 41.0 MB/s eta 0:00:00
#8 6.241 Collecting click<9,>=7.0
#8 6.247 Downloading click-8.1.8-py3-none-any.whl (98 kB)
#8 6.253 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.2/98.2 kB 25.1 MB/s eta 0:00:00
#8 6.452 Collecting tenacity<10,>=8.1.0
#8 6.462 Downloading tenacity-9.0.0-py3-none-any.whl (28 kB)
#8 6.839 Collecting pyarrow>=7.0
#8 6.846 Downloading pyarrow-19.0.0-cp39-cp39-manylinux_2_28_x86_64.whl (42.1 MB)
#8 7.549 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 42.1/42.1 MB 26.4 MB/s eta 0:00:00
#8 8.075 Collecting pillow<12,>=7.1.0
#8 8.081 Downloading pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl (4.5 MB)
#8 8.135 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.5/4.5 MB 86.8 MB/s eta 0:00:00
#8 8.284 Collecting watchdog<7,>=2.1.5
#8 8.291 Downloading watchdog-6.0.0-py3-none-manylinux2014_x86_64.whl (79 kB)
#8 8.296 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 79.1/79.1 kB 21.6 MB/s eta 0:00:00
#8 8.651 Collecting rich<14,>=10.14.0
#8 8.673 Downloading rich-13.9.4-py3-none-any.whl (242 kB)
#8 8.690 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 242.4/242.4 kB 22.5 MB/s eta 0:00:00
#8 8.739 Collecting blinker<2,>=1.0.0
#8 8.748 Downloading blinker-1.9.0-py3-none-any.whl (8.5 kB)
#8 8.774 Collecting toml<2,>=0.10.1
#8 8.790 Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
#8 9.519 Collecting numpy<3,>=1.23
#8 9.524 Downloading numpy-2.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (19.5 MB)
#8 9.956 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 19.5/19.5 MB 27.0 MB/s eta 0:00:00
#8 10.05 Collecting packaging<25,>=20
#8 10.06 Downloading packaging-24.2-py3-none-any.whl (65 kB)
#8 10.06 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 65.5/65.5 kB 19.4 MB/s eta 0:00:00
#8 10.31 Collecting tornado<7,>=6.0.3
#8 10.32 Downloading tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (437 kB)
#8 10.38 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 437.2/437.2 kB 6.8 MB/s eta 0:00:00
#8 10.59 Collecting typing-extensions<5,>=4.3.0
#8 10.60 Downloading typing_extensions-4.12.2-py3-none-any.whl (37 kB)
#8 10.63 Collecting altair<6,>=4.0
#8 10.64 Downloading altair-5.5.0-py3-none-any.whl (731 kB)
#8 10.65 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 731.2/731.2 kB 68.2 MB/s eta 0:00:00
#8 10.69 Collecting pydeck<1,>=0.8.0b4
#8 10.70 Downloading pydeck-0.9.1-py2.py3-none-any.whl (6.9 MB)
#8 10.78 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 6.9/6.9 MB 85.1 MB/s eta 0:00:00
#8 10.92 Collecting narwhals>=1.14.2
#8 10.93 Downloading narwhals-1.25.0-py3-none-any.whl (313 kB)
#8 10.94 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 313.3/313.3 kB 52.3 MB/s eta 0:00:00
#8 11.14 Collecting jinja2
#8 11.15 Downloading jinja2-3.1.5-py3-none-any.whl (134 kB)
#8 11.15 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 134.6/134.6 kB 30.2 MB/s eta 0:00:00
#8 11.39 Collecting jsonschema>=3.0
#8 11.40 Downloading jsonschema-4.23.0-py3-none-any.whl (88 kB)
#8 11.40 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 88.5/88.5 kB 20.9 MB/s eta 0:00:00
#8 11.44 Collecting python-dateutil<3.0.0,>=2.1
#8 11.45 Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)
#8 11.46 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 229.9/229.9 kB 38.7 MB/s eta 0:00:00
#8 11.53 Collecting urllib3<1.27,>=1.25.4
#8 11.54 Downloading urllib3-1.26.20-py2.py3-none-any.whl (144 kB)
#8 11.55 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 144.2/144.2 kB 31.0 MB/s eta 0:00:00
#8 11.76 Collecting gitdb<5,>=4.0.1
#8 11.77 Downloading gitdb-4.0.12-py3-none-any.whl (62 kB)
#8 11.77 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.8/62.8 kB 16.1 MB/s eta 0:00:00
#8 12.12 Collecting pytz>=2020.1
#8 12.12 Downloading pytz-2025.1-py2.py3-none-any.whl (507 kB)
#8 12.14 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 507.9/507.9 kB 59.0 MB/s eta 0:00:00
#8 12.34 Collecting tzdata>=2022.7
#8 12.34 Downloading tzdata-2025.1-py2.py3-none-any.whl (346 kB)
#8 12.35 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 346.8/346.8 kB 49.3 MB/s eta 0:00:00
#8 12.46 Collecting certifi>=2017.4.17
#8 12.47 Downloading certifi-2025.1.31-py3-none-any.whl (166 kB)
#8 12.48 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 166.4/166.4 kB 36.3 MB/s eta 0:00:00
#8 12.52 Collecting idna<4,>=2.5
#8 12.52 Downloading idna-3.10-py3-none-any.whl (70 kB)
#8 12.53 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 70.4/70.4 kB 14.6 MB/s eta 0:00:00
#8 12.96 Collecting charset-normalizer<4,>=2
#8 12.97 Downloading charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (146 kB)
#8 12.98 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 146.2/146.2 kB 26.1 MB/s eta 0:00:00
#8 13.05 Collecting markdown-it-py>=2.2.0
#8 13.06 Downloading markdown_it_py-3.0.0-py3-none-any.whl (87 kB)
#8 13.07 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 87.5/87.5 kB 23.0 MB/s eta 0:00:00
#8 13.30 Collecting pygments<3.0.0,>=2.13.0
#8 13.31 Downloading pygments-2.19.1-py3-none-any.whl (1.2 MB)
#8 13.33 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 61.3 MB/s eta 0:00:00
#8 13.75 Collecting smmap<6,>=3.0.1
#8 13.76 Downloading smmap-5.0.2-py3-none-any.whl (24 kB)
#8 14.08 Collecting MarkupSafe>=2.0
#8 14.10 Downloading MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (20 kB)
#8 14.35 Collecting referencing>=0.28.4
#8 14.36 Downloading referencing-0.36.2-py3-none-any.whl (26 kB)
#8 14.90 Collecting jsonschema-specifications>=2023.03.6
#8 14.91 Downloading jsonschema_specifications-2024.10.1-py3-none-any.whl (18 kB)
#8 14.94 Collecting attrs>=22.2.0
#8 14.95 Downloading attrs-25.1.0-py3-none-any.whl (63 kB)
#8 14.95 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 63.2/63.2 kB 16.8 MB/s eta 0:00:00
#8 15.56 Collecting rpds-py>=0.7.1
#8 15.56 Downloading rpds_py-0.22.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (382 kB)
#8 15.57 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 382.3/382.3 kB 61.7 MB/s eta 0:00:00
#8 15.62 Collecting mdurl~=0.1
#8 15.63 Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
#8 15.70 Collecting six>=1.5
#8 15.71 Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
#8 16.30 Installing collected packages: pytz, watchdog, urllib3, tzdata, typing-extensions, tornado, toml, tenacity, smmap, six, rpds-py, pygments, pyarrow, protobuf, pillow, packaging, numpy, narwhals, mdurl, MarkupSafe, jmespath, idna, click, charset-normalizer, certifi, cachetools, blinker, attrs, requests, referencing, python-dateutil, markdown-it-py, jinja2, gitdb, rich, pydeck, pandas, jsonschema-specifications, gitpython, botocore, s3transfer, jsonschema, boto3, altair, streamlit
#8 29.13 Successfully installed MarkupSafe-3.0.2 altair-5.5.0 attrs-25.1.0 blinker-1.9.0 boto3-1.36.2 botocore-1.36.12 cachetools-5.5.1 certifi-2025.1.31 charset-normalizer-3.4.1 click-8.1.8 gitdb-4.0.12 gitpython-3.1.44 idna-3.10 jinja2-3.1.5 jmespath-1.0.1 jsonschema-4.23.0 jsonschema-specifications-2024.10.1 markdown-it-py-3.0.0 mdurl-0.1.2 narwhals-1.25.0 numpy-2.0.2 packaging-24.2 pandas-2.2.3 pillow-11.1.0 protobuf-5.29.3 pyarrow-19.0.0 pydeck-0.9.1 pygments-2.19.1 python-dateutil-2.9.0.post0 pytz-2025.1 referencing-0.36.2 requests-2.32.3 rich-13.9.4 rpds-py-0.22.3 s3transfer-0.11.2 six-1.17.0 smmap-5.0.2 streamlit-1.41.0 tenacity-9.0.0 toml-0.10.2 tornado-6.4.2 typing-extensions-4.12.2 tzdata-2025.1 urllib3-1.26.20 watchdog-6.0.0
#8 29.13 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
#8 29.25
#8 29.25 [notice] A new release of pip is available: 23.0.1 -> 25.0
#8 29.25 [notice] To update, run: pip install --upgrade pip
#8 DONE 31.2s
#9 [5/5] COPY . /app
#9 DONE 0.1s
#10 exporting to image
#10 exporting layers
#10 exporting layers 2.9s done
#10 writing image sha256:bea25747d40c83b063d57999a0b411b6850b4eb8feb7be675e930df35ac22a80 done
#10 naming to docker.io/library/app-chatbot done
#10 DONE 2.9s
Docker image built.
Running command: docker tag app-chatbot:latest 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Running command: docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Docker image with tag latest pushed to ECR.
Action completed with image: sha256:2490babe352ac6b17d5f6296db6d70aff6a7b6ac805225356962e4de2d8d2341
[Container] 2025/02/04 13:39:18.109235 Running command [ -f /tmp/cp-action-source/action-output-variables.sh ] && chmod 755 /tmp/cp-action-source/action-output-variables.sh && source /tmp/cp-action-source/action-output-variables.sh || true
[Container] 2025/02/04 13:39:18.154920 Running command if [[ ! -z $CodePipeline_ErrorCode || ! -z $CodePipeline_ErrorSummary ]]; then exit 1; fi
[Container] 2025/02/04 13:39:18.187011 Phase complete: BUILD State: SUCCEEDED
[Container] 2025/02/04 13:39:18.187029 Phase context status code: Message:
[Container] 2025/02/04 13:39:18.255251 Entering phase POST_BUILD
[Container] 2025/02/04 13:39:18.282928 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2025/02/04 13:39:18.282949 Phase context status code: Message:
単純に、Docker build して Push するだけなら使えそうですね。
InspectorScan
こちらもアクションプロバイダーとして、AWS InspectorScan を選択し、必要な項目を入力していくだけ。
今回設定はしていませんが、以下の重大度の数に応じて、CodePipeline のアクションを意図的に失敗させることもできるそうです。
CriticalThreshold
HighThreshold
MediumThreshold
LowThreshold
結果をみると、次の通り記録されていることを確認できました。これは便利。
---------Vulnerability analysis --------
Critical severity vulnerabilities found: 0
High severity vulnerabilities found: 3
Medium severity vulnerabilities found: 4
Low severity vulnerabilities found: 1
------------------------------------------
Highest severity vulnerability: {"id":"CVE-2024-6345","severity":"high","method":"CVSSv31","score":8.8}
Inspector scan complete.
Build ログ
[Container] 2025/02/04 14:13:21.753322 Running on CodeBuild On-demand
[Container] 2025/02/04 14:13:21.753338 Waiting for agent ping
[Container] 2025/02/04 14:13:21.956881 Waiting for DOWNLOAD_SOURCE
[Container] 2025/02/04 14:13:23.626819 Phase is DOWNLOAD_SOURCE
[Container] 2025/02/04 14:13:23.689801 CODEBUILD_SRC_DIR=/codebuild/output/src762617907/src
[Container] 2025/02/04 14:13:23.690345 YAML location is /codebuild/readonly/buildspec.yml
[Container] 2025/02/04 14:13:23.692501 Setting HTTP client timeout to higher timeout for S3 source
[Container] 2025/02/04 14:13:23.692612 Processing environment variables
[Container] 2025/02/04 14:13:23.890806 No runtime version selected in buildspec.
[Container] 2025/02/04 14:13:23.947163 Moving to directory /codebuild/output/src762617907/src
[Container] 2025/02/04 14:13:23.950235 Unable to initialize cache download: no paths specified to be cached
[Container] 2025/02/04 14:13:24.003874 Configuring ssm agent with target id: codebuild:72ebe5e0-0883-4b48-b0d5-fe90e006a428
[Container] 2025/02/04 14:13:24.041392 Successfully updated ssm agent configuration
[Container] 2025/02/04 14:13:24.041847 Registering with agent
[Container] 2025/02/04 14:13:24.093304 Phases found in YAML: 1
[Container] 2025/02/04 14:13:24.093325 BUILD: 7 commands
[Container] 2025/02/04 14:13:24.093693 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2025/02/04 14:13:24.093704 Phase context status code: Message:
[Container] 2025/02/04 14:13:24.198779 Entering phase INSTALL
[Container] 2025/02/04 14:13:24.283979 Phase complete: INSTALL State: SUCCEEDED
[Container] 2025/02/04 14:13:24.284001 Phase context status code: Message:
[Container] 2025/02/04 14:13:24.334830 Entering phase PRE_BUILD
[Container] 2025/02/04 14:13:24.353437 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2025/02/04 14:13:24.353458 Phase context status code: Message:
[Container] 2025/02/04 14:13:24.404164 Entering phase BUILD
[Container] 2025/02/04 14:13:24.454831 Running command mkdir -p /tmp/cp-action-source
[Container] 2025/02/04 14:13:24.461954 Running command export CODEPIPELINE_INPUT_ACTION_SOURCE_PATH=/tmp/cp-action-source
[Container] 2025/02/04 14:13:24.467379 Running command curl "https://d33ue1ndcnyy34.cloudfront.net/inspectorscan-invoke-aws-1/0.1.0.tgz" -o /tmp/cp-action-source/action-archive.tgz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 7758k 100 7758k 0 0 78.6M 0 --:--:-- --:--:-- --:--:-- 78.9M
[Container] 2025/02/04 14:13:25.680215 Running command tar -xvzf /tmp/cp-action-source/action-archive.tgz --strip-components=1 -C /tmp/cp-action-source
package/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/3rd-party-licenses.csv
package/dist/index.js
package/dist/inspectorscan.js
package/package.json
package/dist/inspector-sbomgen-1.5.0/linux/amd64/sbom.json
package/dist/index.d.ts.map
package/dist/index.js.map
package/dist/inspectorscan.d.ts.map
package/dist/inspectorscan.js.map
package/dist/index.d.ts
package/dist/inspectorscan.d.ts
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/Apache-License-2.0.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/bsd-2-clause.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/bsd-3-clause.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/checksum.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/LICENSE.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/MIT.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/README.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/WhatsNew.txt
[Container] 2025/02/04 14:13:25.939916 Running command node $CODEPIPELINE_INPUT_ACTION_SOURCE_PATH/dist/index.js
Running Inspector Scan...
Obtaining credentials for ECR 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com in region ap-northeast-1
Running command: aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Scanning ECR image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Running command: /tmp/cp-action-source/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen container --image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest --scan-sbom --disable-progress-bar -o /tmp/cp-action-source/sbom.json
time="2025-02-04 14:13:38" level=info msg="Amazon Inspector SBOM Generator v1.5.0 - linux amd64 - Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved" file="cli.go:157:"
time="2025-02-04 14:13:38" level=info msg="[/tmp/cp-action-source/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen container --image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest --scan-sbom --disable-progress-bar -o /tmp/cp-action-source/sbom.json]" file="cli.go:158:"
time="2025-02-04 14:13:38" level=info msg="writing log file to: /root/.inspector-sbomgen/logs/inspector-sbomgen-log_2025-02-04_14-13-38.txt" file="cli.go:159:"
time="2025-02-04 14:13:38" level=info msg="initializing target artifact" file="coreV1.go:77:"
time="2025-02-04 14:13:38" level=info msg="created temporary staging directory: /root/.inspector-sbomgen/artifact-cache4136382747" file="stagingdir.go:62:"
time="2025-02-04 14:13:38" level=info msg="checking if image is a tarball" file="imageInit.go:28:"
time="2025-02-04 14:13:38" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:"
time="2025-02-04 14:13:38" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:"
time="2025-02-04 14:13:38" level=info msg="downloading remote container image: 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest" file="imageInit.go:191:"
time="2025-02-04 14:13:38" level=info msg="executing pre-processors" file="coreV1.go:82:"
time="2025-02-04 14:13:38" level=info msg="initializing analyzers" file="artifactContainer.go:138:"
time="2025-02-04 14:13:38" level=info msg="inventorying the image; this may take some time depending on your image size" file="artifactContainer.go:145:"
time="2025-02-04 14:13:59" level=info msg="initializing artifact system info" file="systeminfo.go:43:"
time="2025-02-04 14:13:59" level=info msg="analyzing artifact" file="coreV1.go:87:"
time="2025-02-04 14:13:59" level=info msg="executing post-processors" file="coreV1.go:92:"
time="2025-02-04 14:13:59" level=info msg="encoding findings" file="coreV1.go:100:"
time="2025-02-04 14:13:59" level=info msg="encoded 618 components" file="containers.go:228:"
time="2025-02-04 14:13:59" level=info msg="cleaning up any file system artifacts" file="artifactContainer.go:202:"
time="2025-02-04 14:14:00" level=info msg="deleting staging directory; please wait" file="stagingdir.go:113:"
time="2025-02-04 14:14:01" level=info msg="deleted 1528 megabytes from staging directory: /root/.inspector-sbomgen/artifact-cache4136382747" file="stagingdir.go:120:"
time="2025-02-04 14:14:01" level=info msg="scanning SBOM contents for vulnerable packages with Inspector Scan service" file="clientv1.go:333:"
time="2025-02-04 14:14:01" level=info msg="Elapsed time: 23.529s" file="cli.go:60:"
---------Vulnerability analysis --------
Critical severity vulnerabilities found: 0
High severity vulnerabilities found: 3
Medium severity vulnerabilities found: 4
Low severity vulnerabilities found: 1
------------------------------------------
Highest severity vulnerability: {"id":"CVE-2024-6345","severity":"high","method":"CVSSv31","score":8.8}
Inspector scan complete.
[Container] 2025/02/04 14:14:01.785259 Running command [ -f /tmp/cp-action-source/action-output-variables.sh ] && chmod 755 /tmp/cp-action-source/action-output-variables.sh && source /tmp/cp-action-source/action-output-variables.sh || true
[Container] 2025/02/04 14:14:01.853072 Running command if [[ ! -z $CodePipeline_ErrorCode || ! -z $CodePipeline_ErrorSummary ]]; then exit 1; fi
[Container] 2025/02/04 14:14:01.921796 Phase complete: BUILD State: SUCCEEDED
[Container] 2025/02/04 14:14:01.921814 Phase context status code: Message:
[Container] 2025/02/04 14:14:01.986363 Entering phase POST_BUILD
[Container] 2025/02/04 14:14:02.004334 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2025/02/04 14:14:02.004351 Phase context status code: Message:
[Container] 2025/02/04 14:14:02.127053 Expanding base directory path: .
[Container] 2025/02/04 14:14:02.130925 Assembling file list
[Container] 2025/02/04 14:14:02.130944 Expanding .
[Container] 2025/02/04 14:14:02.134339 Expanding file paths for base directory .
[Container] 2025/02/04 14:14:02.134353 Assembling file list
[Container] 2025/02/04 14:14:02.134357 Expanding /tmp/cp-action-source/sbom.json
[Container] 2025/02/04 14:14:02.137619 Found 1 file(s)
[Container] 2025/02/04 14:14:02.145225 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2025/02/04 14:14:02.145241 Phase context status code: Message: