1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

AWS CodePipeline の ECRBuildAndPublish アクション と InspectorScan アクションを使った DevSecOps

Posted at

内容

アップデートの内容に記事は以下の通り。

  • ECRBuildAndPublish アクション
    • Docker イメージを簡単に作成して、パイプライン実行の一部として ECR にパブリッシュ可能

  • InspectorScan アクション
    • パイプライン実行の一部としてソースコードリポジトリ(SourceCodeScan)または Docker イメージをスキャン(ECRImageScan)が可能

最終的なイメージ

今回はシンプルに、GitHub から、ECRBuildAndPublish アクション と InspectorScan アクション のみ実行します。デプロイまでは行いません。

スクリーンショット 2025-02-04 23.26.16.png

ECRBuildAndPublish

以前

以前は ↓ のような buildspec.yaml を書き CodeBuild プロジェクトを準備する必要があった。

buildspec.yaml
version: 0.2

phases:
  pre_build:
    commands:
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
  build:
    commands:
      - echo Build started on `date`
      - echo Building the Docker image...          
      - docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG .
      - docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG      
  post_build:
    commands:
      - echo Build completed on `date`
      - echo Pushing the Docker image...
      - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG

今回

ビルドステージで、AWS ECRBuildAndPublish を選択し必要な項目を選択するだけ。

スクリーンショット 2025-02-04 22.36.45.png

Build ログ
[Container] 2025/02/04 13:37:05.427395 Running on CodeBuild On-demand
[Container] 2025/02/04 13:37:05.427416 Waiting for agent ping
[Container] 2025/02/04 13:37:05.628955 Waiting for DOWNLOAD_SOURCE
[Container] 2025/02/04 13:37:07.577435 Phase is DOWNLOAD_SOURCE
[Container] 2025/02/04 13:37:07.628963 CODEBUILD_SRC_DIR=/codebuild/output/src738611775/src
[Container] 2025/02/04 13:37:07.629540 YAML location is /codebuild/readonly/buildspec.yml
[Container] 2025/02/04 13:37:07.632203 Setting HTTP client timeout to higher timeout for S3 source
[Container] 2025/02/04 13:37:07.632319 Processing environment variables
[Container] 2025/02/04 13:37:07.887584 No runtime version selected in buildspec.
[Container] 2025/02/04 13:37:07.953650 Moving to directory /codebuild/output/src738611775/src
[Container] 2025/02/04 13:37:07.959214 Unable to initialize cache download: no paths specified to be cached
[Container] 2025/02/04 13:37:08.067010 Configuring ssm agent with target id: codebuild:a318c0d5-de5c-428f-8346-33850f0071a7
[Container] 2025/02/04 13:37:08.130388 Successfully updated ssm agent configuration
[Container] 2025/02/04 13:37:08.130810 Registering with agent
[Container] 2025/02/04 13:37:08.185736 Phases found in YAML: 1
[Container] 2025/02/04 13:37:08.185756  BUILD: 7 commands
[Container] 2025/02/04 13:37:08.185977 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2025/02/04 13:37:08.185991 Phase context status code:  Message: 
[Container] 2025/02/04 13:37:08.289062 Entering phase INSTALL
[Container] 2025/02/04 13:37:08.434427 Phase complete: INSTALL State: SUCCEEDED
[Container] 2025/02/04 13:37:08.434454 Phase context status code:  Message: 
[Container] 2025/02/04 13:37:08.487160 Entering phase PRE_BUILD
[Container] 2025/02/04 13:37:08.527363 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2025/02/04 13:37:08.527382 Phase context status code:  Message: 
[Container] 2025/02/04 13:37:08.585125 Entering phase BUILD
[Container] 2025/02/04 13:37:08.641619 Running command mkdir -p /tmp/cp-action-source

[Container] 2025/02/04 13:37:08.651812 Running command export CODEPIPELINE_INPUT_ACTION_SOURCE_PATH=/tmp/cp-action-source

[Container] 2025/02/04 13:37:08.664659 Running command curl "https://d33ue1ndcnyy34.cloudfront.net/build-ecrbuildandpublish-aws-1/0.1.0.tgz" -o /tmp/cp-action-source/action-archive.tgz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  164k  100  164k    0     0  1192k      0 --:--:-- --:--:-- --:--:-- 1198k

[Container] 2025/02/04 13:37:10.074559 Running command tar -xvzf /tmp/cp-action-source/action-archive.tgz --strip-components=1 -C /tmp/cp-action-source
package/dist/index.js
package/dist/validationUtils.js
package/package.json
package/dist/index.d.ts.map
package/dist/index.js.map
package/dist/validationUtils.d.ts.map
package/dist/validationUtils.js.map
package/dist/index.d.ts
package/dist/validationUtils.d.ts

[Container] 2025/02/04 13:37:10.245249 Running command node $CODEPIPELINE_INPUT_ACTION_SOURCE_PATH/dist/index.js
ECR Build and publish image started for repository app-chatbot with Dockerfile in app-chatbot/ path with tags latest
Running command: aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores

Docker authenticated.
Running command: docker build -t app-chatbot app-chatbot/
#0 building with "default" instance using docker driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 179B done
#1 DONE 0.1s

#2 [internal] load metadata for docker.io/library/python:3.9
#2 DONE 2.2s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [internal] load build context
#4 transferring context: 6.25kB done
#4 DONE 0.0s

#5 [1/5] FROM docker.io/library/python:3.9@sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9
#5 resolve docker.io/library/python:3.9@sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9 0.0s done
#5 sha256:3493922743fd230ae8db091c94c799c618bf1506568adfa3a8eb32833b07cbb9 10.35kB / 10.35kB done
#5 sha256:bb95474bc3b1ef114639adfd09dca4320e51b3bc00df4b1cc2b660214b051f4e 6.17kB / 6.17kB done
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 0B / 48.48MB 0.1s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 0B / 24.06MB 0.1s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 0B / 64.39MB 0.1s
#5 sha256:120d5f9b020ee2ff81affc4943590ae8a295c726d6b85d1ab5b9c7a2fce1f753 2.32kB / 2.32kB done
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 26.21MB / 48.48MB 0.4s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 2.10MB / 24.06MB 0.4s
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 45.09MB / 48.48MB 0.5s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 7.34MB / 24.06MB 0.5s
#5 sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 48.48MB / 48.48MB 0.7s done
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 11.53MB / 24.06MB 0.7s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 24.12MB / 64.39MB 0.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 0B / 211.33MB 0.7s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 14.68MB / 24.06MB 0.8s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 41.94MB / 64.39MB 0.8s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 17.83MB / 24.06MB 0.9s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 55.57MB / 64.39MB 0.9s
#5 extracting sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 24.06MB / 24.06MB 1.0s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 62.91MB / 64.39MB 1.0s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 16.78MB / 211.33MB 1.0s
#5 sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 24.06MB / 24.06MB 1.1s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 28.31MB / 211.33MB 1.1s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 0B / 6.16MB 1.1s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 45.09MB / 211.33MB 1.3s
#5 sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 64.39MB / 64.39MB 1.4s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 57.67MB / 211.33MB 1.4s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 0B / 19.84MB 1.4s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 2.10MB / 6.16MB 1.5s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 95.02MB / 211.33MB 1.7s
#5 sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 6.16MB / 6.16MB 1.6s done
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 17.83MB / 19.84MB 1.7s
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 0B / 248B 1.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 106.95MB / 211.33MB 1.8s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 19.84MB / 19.84MB 1.8s
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 248B / 248B 1.8s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 118.87MB / 211.33MB 1.9s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 130.02MB / 211.33MB 2.0s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 157.29MB / 211.33MB 2.2s
#5 sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 19.84MB / 19.84MB 2.1s done
#5 sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec 248B / 248B 2.1s done
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 179.31MB / 211.33MB 2.4s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 190.84MB / 211.33MB 2.5s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 211.33MB / 211.33MB 2.7s
#5 sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 211.33MB / 211.33MB 3.5s done
#5 extracting sha256:a492eee5e55976c7d3feecce4c564aaf6f14fb07fdc5019d06f4154eddc93fde 2.8s done
#5 extracting sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108
#5 extracting sha256:32b550be6cb62359a0f3a96bc0dc289f8b45d097eaad275887f163c6780b4108 0.5s done
#5 extracting sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 0.1s
#5 extracting sha256:35af2a7690f2b43e7237d1fae8e3f2350dfb25f3249e9cf65121866f9c56c772 2.3s done
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 5.0s
#5 extracting sha256:7576b00d9bb10cc967bb5bdeeb3d5fa078ac8800e112aa03ed15ec199662d4f7 6.4s done
#5 extracting sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728
#5 extracting sha256:a99bce2787d5ac2fcfe438b662580237f9bd4f971782666100914e43e6dae728 0.3s done
#5 extracting sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5
#5 extracting sha256:34ebcaeb2b96ed0e0dd912cf04fb1fa4b0293494685b1bcb36ceb1a2e1edc3c5 0.7s done
#5 extracting sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec
#5 extracting sha256:8ccfaa3abdeee6cbe0aa62fc87eb1ee30273ff5fcd37a53540ef41539135cfec done
#5 DONE 15.1s

#6 [2/5] WORKDIR /app
#6 DONE 1.4s

#7 [3/5] COPY requirements.txt .
#7 DONE 0.1s

#8 [4/5] RUN pip install -r requirements.txt
#8 2.614 Collecting boto3==1.36.2
#8 2.655   Downloading boto3-1.36.2-py3-none-any.whl (139 kB)
#8 2.678      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 139.2/139.2 kB 7.0 MB/s eta 0:00:00
#8 2.781 Collecting streamlit==1.41.0
#8 2.793   Downloading streamlit-1.41.0-py2.py3-none-any.whl (23.4 MB)
#8 3.270      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 23.4/23.4 MB 32.3 MB/s eta 0:00:00
#8 3.372 Collecting jmespath<2.0.0,>=0.7.1
#8 3.377   Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
#8 4.195 Collecting botocore<1.37.0,>=1.36.2
#8 4.202   Downloading botocore-1.36.12-py3-none-any.whl (13.3 MB)
#8 4.346      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.3/13.3 MB 80.4 MB/s eta 0:00:00
#8 4.432 Collecting s3transfer<0.12.0,>=0.11.0
#8 4.437   Downloading s3transfer-0.11.2-py3-none-any.whl (84 kB)
#8 4.443      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 84.2/84.2 kB 23.2 MB/s eta 0:00:00
#8 4.935 Collecting pandas<3,>=1.4.0
#8 4.979   Downloading pandas-2.2.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (13.1 MB)
#8 5.132      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.1/13.1 MB 84.2 MB/s eta 0:00:00
#8 5.640 Collecting protobuf<6,>=3.20
#8 5.659   Downloading protobuf-5.29.3-cp38-abi3-manylinux2014_x86_64.whl (319 kB)
#8 5.674      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 319.7/319.7 kB 33.3 MB/s eta 0:00:00
#8 5.889 Collecting cachetools<6,>=4.0
#8 5.900   Downloading cachetools-5.5.1-py3-none-any.whl (9.5 kB)
#8 5.960 Collecting requests<3,>=2.27
#8 5.966   Downloading requests-2.32.3-py3-none-any.whl (64 kB)
#8 5.972      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 64.9/64.9 kB 15.0 MB/s eta 0:00:00
#8 6.186 Collecting gitpython!=3.1.19,<4,>=3.0.7
#8 6.192   Downloading GitPython-3.1.44-py3-none-any.whl (207 kB)
#8 6.199      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 207.6/207.6 kB 41.0 MB/s eta 0:00:00
#8 6.241 Collecting click<9,>=7.0
#8 6.247   Downloading click-8.1.8-py3-none-any.whl (98 kB)
#8 6.253      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.2/98.2 kB 25.1 MB/s eta 0:00:00
#8 6.452 Collecting tenacity<10,>=8.1.0
#8 6.462   Downloading tenacity-9.0.0-py3-none-any.whl (28 kB)
#8 6.839 Collecting pyarrow>=7.0
#8 6.846   Downloading pyarrow-19.0.0-cp39-cp39-manylinux_2_28_x86_64.whl (42.1 MB)
#8 7.549      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 42.1/42.1 MB 26.4 MB/s eta 0:00:00
#8 8.075 Collecting pillow<12,>=7.1.0
#8 8.081   Downloading pillow-11.1.0-cp39-cp39-manylinux_2_28_x86_64.whl (4.5 MB)
#8 8.135      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.5/4.5 MB 86.8 MB/s eta 0:00:00
#8 8.284 Collecting watchdog<7,>=2.1.5
#8 8.291   Downloading watchdog-6.0.0-py3-none-manylinux2014_x86_64.whl (79 kB)
#8 8.296      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 79.1/79.1 kB 21.6 MB/s eta 0:00:00
#8 8.651 Collecting rich<14,>=10.14.0
#8 8.673   Downloading rich-13.9.4-py3-none-any.whl (242 kB)
#8 8.690      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 242.4/242.4 kB 22.5 MB/s eta 0:00:00
#8 8.739 Collecting blinker<2,>=1.0.0
#8 8.748   Downloading blinker-1.9.0-py3-none-any.whl (8.5 kB)
#8 8.774 Collecting toml<2,>=0.10.1
#8 8.790   Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
#8 9.519 Collecting numpy<3,>=1.23
#8 9.524   Downloading numpy-2.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (19.5 MB)
#8 9.956      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 19.5/19.5 MB 27.0 MB/s eta 0:00:00
#8 10.05 Collecting packaging<25,>=20
#8 10.06   Downloading packaging-24.2-py3-none-any.whl (65 kB)
#8 10.06      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 65.5/65.5 kB 19.4 MB/s eta 0:00:00
#8 10.31 Collecting tornado<7,>=6.0.3
#8 10.32   Downloading tornado-6.4.2-cp38-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl (437 kB)
#8 10.38      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 437.2/437.2 kB 6.8 MB/s eta 0:00:00
#8 10.59 Collecting typing-extensions<5,>=4.3.0
#8 10.60   Downloading typing_extensions-4.12.2-py3-none-any.whl (37 kB)
#8 10.63 Collecting altair<6,>=4.0
#8 10.64   Downloading altair-5.5.0-py3-none-any.whl (731 kB)
#8 10.65      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 731.2/731.2 kB 68.2 MB/s eta 0:00:00
#8 10.69 Collecting pydeck<1,>=0.8.0b4
#8 10.70   Downloading pydeck-0.9.1-py2.py3-none-any.whl (6.9 MB)
#8 10.78      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 6.9/6.9 MB 85.1 MB/s eta 0:00:00
#8 10.92 Collecting narwhals>=1.14.2
#8 10.93   Downloading narwhals-1.25.0-py3-none-any.whl (313 kB)
#8 10.94      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 313.3/313.3 kB 52.3 MB/s eta 0:00:00
#8 11.14 Collecting jinja2
#8 11.15   Downloading jinja2-3.1.5-py3-none-any.whl (134 kB)
#8 11.15      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 134.6/134.6 kB 30.2 MB/s eta 0:00:00
#8 11.39 Collecting jsonschema>=3.0
#8 11.40   Downloading jsonschema-4.23.0-py3-none-any.whl (88 kB)
#8 11.40      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 88.5/88.5 kB 20.9 MB/s eta 0:00:00
#8 11.44 Collecting python-dateutil<3.0.0,>=2.1
#8 11.45   Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)
#8 11.46      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 229.9/229.9 kB 38.7 MB/s eta 0:00:00
#8 11.53 Collecting urllib3<1.27,>=1.25.4
#8 11.54   Downloading urllib3-1.26.20-py2.py3-none-any.whl (144 kB)
#8 11.55      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 144.2/144.2 kB 31.0 MB/s eta 0:00:00
#8 11.76 Collecting gitdb<5,>=4.0.1
#8 11.77   Downloading gitdb-4.0.12-py3-none-any.whl (62 kB)
#8 11.77      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.8/62.8 kB 16.1 MB/s eta 0:00:00
#8 12.12 Collecting pytz>=2020.1
#8 12.12   Downloading pytz-2025.1-py2.py3-none-any.whl (507 kB)
#8 12.14      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 507.9/507.9 kB 59.0 MB/s eta 0:00:00
#8 12.34 Collecting tzdata>=2022.7
#8 12.34   Downloading tzdata-2025.1-py2.py3-none-any.whl (346 kB)
#8 12.35      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 346.8/346.8 kB 49.3 MB/s eta 0:00:00
#8 12.46 Collecting certifi>=2017.4.17
#8 12.47   Downloading certifi-2025.1.31-py3-none-any.whl (166 kB)
#8 12.48      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 166.4/166.4 kB 36.3 MB/s eta 0:00:00
#8 12.52 Collecting idna<4,>=2.5
#8 12.52   Downloading idna-3.10-py3-none-any.whl (70 kB)
#8 12.53      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 70.4/70.4 kB 14.6 MB/s eta 0:00:00
#8 12.96 Collecting charset-normalizer<4,>=2
#8 12.97   Downloading charset_normalizer-3.4.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (146 kB)
#8 12.98      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 146.2/146.2 kB 26.1 MB/s eta 0:00:00
#8 13.05 Collecting markdown-it-py>=2.2.0
#8 13.06   Downloading markdown_it_py-3.0.0-py3-none-any.whl (87 kB)
#8 13.07      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 87.5/87.5 kB 23.0 MB/s eta 0:00:00
#8 13.30 Collecting pygments<3.0.0,>=2.13.0
#8 13.31   Downloading pygments-2.19.1-py3-none-any.whl (1.2 MB)
#8 13.33      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.2/1.2 MB 61.3 MB/s eta 0:00:00
#8 13.75 Collecting smmap<6,>=3.0.1
#8 13.76   Downloading smmap-5.0.2-py3-none-any.whl (24 kB)
#8 14.08 Collecting MarkupSafe>=2.0
#8 14.10   Downloading MarkupSafe-3.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (20 kB)
#8 14.35 Collecting referencing>=0.28.4
#8 14.36   Downloading referencing-0.36.2-py3-none-any.whl (26 kB)
#8 14.90 Collecting jsonschema-specifications>=2023.03.6
#8 14.91   Downloading jsonschema_specifications-2024.10.1-py3-none-any.whl (18 kB)
#8 14.94 Collecting attrs>=22.2.0
#8 14.95   Downloading attrs-25.1.0-py3-none-any.whl (63 kB)
#8 14.95      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 63.2/63.2 kB 16.8 MB/s eta 0:00:00
#8 15.56 Collecting rpds-py>=0.7.1
#8 15.56   Downloading rpds_py-0.22.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (382 kB)
#8 15.57      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 382.3/382.3 kB 61.7 MB/s eta 0:00:00
#8 15.62 Collecting mdurl~=0.1
#8 15.63   Downloading mdurl-0.1.2-py3-none-any.whl (10.0 kB)
#8 15.70 Collecting six>=1.5
#8 15.71   Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
#8 16.30 Installing collected packages: pytz, watchdog, urllib3, tzdata, typing-extensions, tornado, toml, tenacity, smmap, six, rpds-py, pygments, pyarrow, protobuf, pillow, packaging, numpy, narwhals, mdurl, MarkupSafe, jmespath, idna, click, charset-normalizer, certifi, cachetools, blinker, attrs, requests, referencing, python-dateutil, markdown-it-py, jinja2, gitdb, rich, pydeck, pandas, jsonschema-specifications, gitpython, botocore, s3transfer, jsonschema, boto3, altair, streamlit
#8 29.13 Successfully installed MarkupSafe-3.0.2 altair-5.5.0 attrs-25.1.0 blinker-1.9.0 boto3-1.36.2 botocore-1.36.12 cachetools-5.5.1 certifi-2025.1.31 charset-normalizer-3.4.1 click-8.1.8 gitdb-4.0.12 gitpython-3.1.44 idna-3.10 jinja2-3.1.5 jmespath-1.0.1 jsonschema-4.23.0 jsonschema-specifications-2024.10.1 markdown-it-py-3.0.0 mdurl-0.1.2 narwhals-1.25.0 numpy-2.0.2 packaging-24.2 pandas-2.2.3 pillow-11.1.0 protobuf-5.29.3 pyarrow-19.0.0 pydeck-0.9.1 pygments-2.19.1 python-dateutil-2.9.0.post0 pytz-2025.1 referencing-0.36.2 requests-2.32.3 rich-13.9.4 rpds-py-0.22.3 s3transfer-0.11.2 six-1.17.0 smmap-5.0.2 streamlit-1.41.0 tenacity-9.0.0 toml-0.10.2 tornado-6.4.2 typing-extensions-4.12.2 tzdata-2025.1 urllib3-1.26.20 watchdog-6.0.0
#8 29.13 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
#8 29.25 
#8 29.25 [notice] A new release of pip is available: 23.0.1 -> 25.0
#8 29.25 [notice] To update, run: pip install --upgrade pip
#8 DONE 31.2s

#9 [5/5] COPY . /app
#9 DONE 0.1s

#10 exporting to image
#10 exporting layers
#10 exporting layers 2.9s done
#10 writing image sha256:bea25747d40c83b063d57999a0b411b6850b4eb8feb7be675e930df35ac22a80 done
#10 naming to docker.io/library/app-chatbot done
#10 DONE 2.9s
Docker image built.
Running command: docker tag app-chatbot:latest 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Running command: docker push 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Docker image with tag latest pushed to ECR.
Action completed with image: sha256:2490babe352ac6b17d5f6296db6d70aff6a7b6ac805225356962e4de2d8d2341

[Container] 2025/02/04 13:39:18.109235 Running command [ -f /tmp/cp-action-source/action-output-variables.sh ] && chmod 755 /tmp/cp-action-source/action-output-variables.sh && source /tmp/cp-action-source/action-output-variables.sh || true

[Container] 2025/02/04 13:39:18.154920 Running command if [[ ! -z $CodePipeline_ErrorCode || ! -z $CodePipeline_ErrorSummary ]]; then exit 1; fi

[Container] 2025/02/04 13:39:18.187011 Phase complete: BUILD State: SUCCEEDED
[Container] 2025/02/04 13:39:18.187029 Phase context status code:  Message: 
[Container] 2025/02/04 13:39:18.255251 Entering phase POST_BUILD
[Container] 2025/02/04 13:39:18.282928 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2025/02/04 13:39:18.282949 Phase context status code:  Message: 

単純に、Docker build して Push するだけなら使えそうですね。

InspectorScan

こちらもアクションプロバイダーとして、AWS InspectorScan を選択し、必要な項目を入力していくだけ。

スクリーンショット 2025-02-04 23.14.55.png
スクリーンショット 2025-02-04 22.57.50.png

今回設定はしていませんが、以下の重大度の数に応じて、CodePipeline のアクションを意図的に失敗させることもできるそうです。

CriticalThreshold
HighThreshold
MediumThreshold
LowThreshold

結果をみると、次の通り記録されていることを確認できました。これは便利。

---------Vulnerability analysis --------
Critical severity vulnerabilities found: 0
High severity vulnerabilities found: 3
Medium severity vulnerabilities found: 4
Low severity vulnerabilities found: 1
------------------------------------------
Highest severity vulnerability: {"id":"CVE-2024-6345","severity":"high","method":"CVSSv31","score":8.8}
Inspector scan complete.
Build ログ
[Container] 2025/02/04 14:13:21.753322 Running on CodeBuild On-demand
[Container] 2025/02/04 14:13:21.753338 Waiting for agent ping
[Container] 2025/02/04 14:13:21.956881 Waiting for DOWNLOAD_SOURCE
[Container] 2025/02/04 14:13:23.626819 Phase is DOWNLOAD_SOURCE
[Container] 2025/02/04 14:13:23.689801 CODEBUILD_SRC_DIR=/codebuild/output/src762617907/src
[Container] 2025/02/04 14:13:23.690345 YAML location is /codebuild/readonly/buildspec.yml
[Container] 2025/02/04 14:13:23.692501 Setting HTTP client timeout to higher timeout for S3 source
[Container] 2025/02/04 14:13:23.692612 Processing environment variables
[Container] 2025/02/04 14:13:23.890806 No runtime version selected in buildspec.
[Container] 2025/02/04 14:13:23.947163 Moving to directory /codebuild/output/src762617907/src
[Container] 2025/02/04 14:13:23.950235 Unable to initialize cache download: no paths specified to be cached
[Container] 2025/02/04 14:13:24.003874 Configuring ssm agent with target id: codebuild:72ebe5e0-0883-4b48-b0d5-fe90e006a428
[Container] 2025/02/04 14:13:24.041392 Successfully updated ssm agent configuration
[Container] 2025/02/04 14:13:24.041847 Registering with agent
[Container] 2025/02/04 14:13:24.093304 Phases found in YAML: 1
[Container] 2025/02/04 14:13:24.093325  BUILD: 7 commands
[Container] 2025/02/04 14:13:24.093693 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2025/02/04 14:13:24.093704 Phase context status code:  Message: 
[Container] 2025/02/04 14:13:24.198779 Entering phase INSTALL
[Container] 2025/02/04 14:13:24.283979 Phase complete: INSTALL State: SUCCEEDED
[Container] 2025/02/04 14:13:24.284001 Phase context status code:  Message: 
[Container] 2025/02/04 14:13:24.334830 Entering phase PRE_BUILD
[Container] 2025/02/04 14:13:24.353437 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2025/02/04 14:13:24.353458 Phase context status code:  Message: 
[Container] 2025/02/04 14:13:24.404164 Entering phase BUILD
[Container] 2025/02/04 14:13:24.454831 Running command mkdir -p /tmp/cp-action-source

[Container] 2025/02/04 14:13:24.461954 Running command export CODEPIPELINE_INPUT_ACTION_SOURCE_PATH=/tmp/cp-action-source

[Container] 2025/02/04 14:13:24.467379 Running command curl "https://d33ue1ndcnyy34.cloudfront.net/inspectorscan-invoke-aws-1/0.1.0.tgz" -o /tmp/cp-action-source/action-archive.tgz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 7758k  100 7758k    0     0  78.6M      0 --:--:-- --:--:-- --:--:-- 78.9M

[Container] 2025/02/04 14:13:25.680215 Running command tar -xvzf /tmp/cp-action-source/action-archive.tgz --strip-components=1 -C /tmp/cp-action-source
package/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/3rd-party-licenses.csv
package/dist/index.js
package/dist/inspectorscan.js
package/package.json
package/dist/inspector-sbomgen-1.5.0/linux/amd64/sbom.json
package/dist/index.d.ts.map
package/dist/index.js.map
package/dist/inspectorscan.d.ts.map
package/dist/inspectorscan.js.map
package/dist/index.d.ts
package/dist/inspectorscan.d.ts
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/Apache-License-2.0.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/bsd-2-clause.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/bsd-3-clause.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/checksum.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/LICENSE.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/licenses/MIT.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/README.txt
package/dist/inspector-sbomgen-1.5.0/linux/amd64/WhatsNew.txt

[Container] 2025/02/04 14:13:25.939916 Running command node $CODEPIPELINE_INPUT_ACTION_SOURCE_PATH/dist/index.js
Running Inspector Scan...
Obtaining credentials for ECR 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com in region ap-northeast-1
Running command: aws ecr get-login-password --region ap-northeast-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores

Scanning ECR image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest
Running command: /tmp/cp-action-source/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen container --image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest --scan-sbom --disable-progress-bar -o /tmp/cp-action-source/sbom.json
time="2025-02-04 14:13:38" level=info msg="Amazon Inspector SBOM Generator v1.5.0 - linux amd64 - Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved" file="cli.go:157:"
time="2025-02-04 14:13:38" level=info msg="[/tmp/cp-action-source/dist/inspector-sbomgen-1.5.0/linux/amd64/inspector-sbomgen container --image 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest --scan-sbom --disable-progress-bar -o /tmp/cp-action-source/sbom.json]" file="cli.go:158:"
time="2025-02-04 14:13:38" level=info msg="writing log file to: /root/.inspector-sbomgen/logs/inspector-sbomgen-log_2025-02-04_14-13-38.txt" file="cli.go:159:"
time="2025-02-04 14:13:38" level=info msg="initializing target artifact" file="coreV1.go:77:"
time="2025-02-04 14:13:38" level=info msg="created temporary staging directory: /root/.inspector-sbomgen/artifact-cache4136382747" file="stagingdir.go:62:"
time="2025-02-04 14:13:38" level=info msg="checking if image is a tarball" file="imageInit.go:28:"
time="2025-02-04 14:13:38" level=info msg="checking if image exists in the local Docker daemon" file="imageInit.go:37:"
time="2025-02-04 14:13:38" level=info msg="checking if image can be downloaded from a remote registry" file="imageInit.go:46:"
time="2025-02-04 14:13:38" level=info msg="downloading remote container image: 123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/app-chatbot:latest" file="imageInit.go:191:"
time="2025-02-04 14:13:38" level=info msg="executing pre-processors" file="coreV1.go:82:"
time="2025-02-04 14:13:38" level=info msg="initializing analyzers" file="artifactContainer.go:138:"
time="2025-02-04 14:13:38" level=info msg="inventorying the image; this may take some time depending on your image size" file="artifactContainer.go:145:"
time="2025-02-04 14:13:59" level=info msg="initializing artifact system info" file="systeminfo.go:43:"
time="2025-02-04 14:13:59" level=info msg="analyzing artifact" file="coreV1.go:87:"
time="2025-02-04 14:13:59" level=info msg="executing post-processors" file="coreV1.go:92:"
time="2025-02-04 14:13:59" level=info msg="encoding findings" file="coreV1.go:100:"
time="2025-02-04 14:13:59" level=info msg="encoded 618 components" file="containers.go:228:"
time="2025-02-04 14:13:59" level=info msg="cleaning up any file system artifacts" file="artifactContainer.go:202:"
time="2025-02-04 14:14:00" level=info msg="deleting staging directory; please wait" file="stagingdir.go:113:"
time="2025-02-04 14:14:01" level=info msg="deleted 1528 megabytes from staging directory: /root/.inspector-sbomgen/artifact-cache4136382747" file="stagingdir.go:120:"
time="2025-02-04 14:14:01" level=info msg="scanning SBOM contents for vulnerable packages with Inspector Scan service" file="clientv1.go:333:"
time="2025-02-04 14:14:01" level=info msg="Elapsed time: 23.529s" file="cli.go:60:"
---------Vulnerability analysis --------
Critical severity vulnerabilities found: 0
High severity vulnerabilities found: 3
Medium severity vulnerabilities found: 4
Low severity vulnerabilities found: 1
------------------------------------------
Highest severity vulnerability: {"id":"CVE-2024-6345","severity":"high","method":"CVSSv31","score":8.8}
Inspector scan complete.

[Container] 2025/02/04 14:14:01.785259 Running command [ -f /tmp/cp-action-source/action-output-variables.sh ] && chmod 755 /tmp/cp-action-source/action-output-variables.sh && source /tmp/cp-action-source/action-output-variables.sh || true

[Container] 2025/02/04 14:14:01.853072 Running command if [[ ! -z $CodePipeline_ErrorCode || ! -z $CodePipeline_ErrorSummary ]]; then exit 1; fi

[Container] 2025/02/04 14:14:01.921796 Phase complete: BUILD State: SUCCEEDED
[Container] 2025/02/04 14:14:01.921814 Phase context status code:  Message: 
[Container] 2025/02/04 14:14:01.986363 Entering phase POST_BUILD
[Container] 2025/02/04 14:14:02.004334 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2025/02/04 14:14:02.004351 Phase context status code:  Message: 
[Container] 2025/02/04 14:14:02.127053 Expanding base directory path: .
[Container] 2025/02/04 14:14:02.130925 Assembling file list
[Container] 2025/02/04 14:14:02.130944 Expanding .
[Container] 2025/02/04 14:14:02.134339 Expanding file paths for base directory .
[Container] 2025/02/04 14:14:02.134353 Assembling file list
[Container] 2025/02/04 14:14:02.134357 Expanding /tmp/cp-action-source/sbom.json
[Container] 2025/02/04 14:14:02.137619 Found 1 file(s)
[Container] 2025/02/04 14:14:02.145225 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2025/02/04 14:14:02.145241 Phase context status code:  Message: 
1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?