Merge pull request #120 from aws-solutions-library-samples/fix/image-scanning

rstrahan · web-flow · commit 8102c4195e24 · 2025-11-05T08:46:55.000-05:00
fix/image scanning
diff --git a/.github/workflows/developer-tests.yml b/.github/workflows/developer-tests.yml
@@ -15,6 +15,12 @@ jobs:
     name: Lint, Type Check, and Test
     runs-on: ubuntu-latest
     timeout-minutes: 120 # 2 hours
+    
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
 
     # Use Python 3.13 to match GitLab configuration
     container:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
+### Fixed
+
+- **Pattern-2 ECR Enhanced Scanning Support** - Added required IAM permissions (inspector2:ListCoverage, inspector2:ListFindings) to Pattern2DockerBuildRole to support AWS accounts with Amazon Inspector Enhanced Scanning enabled. Also added KMS permissions (kms:Decrypt, kms:CreateGrant) for customer-managed encryption keys. This resolves AccessDenied errors and CodeBuild timeouts when deploying Pattern-2 in accounts with enhanced scanning enabled.
+
 ## [0.4.1]
 
 ### Changed
diff --git a/patterns/pattern-2/buildspec.yml b/patterns/pattern-2/buildspec.yml
@@ -56,36 +56,24 @@ phases:
       - echo "All Pattern-2 Docker images successfully built and pushed to ECR"
       - echo "ECR Repository - $ECR_URI"
       - echo "Image Version - $IMAGE_VERSION"
-      - echo "Waiting for vulnerability scans to complete..."
+      - echo "Note: ECR vulnerability scans initiated (ScanOnPush enabled)"
+      - echo "Scans will complete asynchronously. Check ECR console for results."
+      - echo "For accounts with Amazon Inspector Enhanced Scanning, scans may take 10-30 minutes per image."
       - |
-        # Wait for and check vulnerability scan results for all images
+        # Optional: Quick check if any scans have already completed
+        # This is informational only and does not block the build
         IMAGES=("ocr-function" "classification-function" "extraction-function" "assessment-function" "processresults-function" "hitl-wait-function" "hitl-status-update-function" "hitl-process-function" "summarization-function")
+        echo "Checking scan status (non-blocking)..."
         for IMAGE in "${IMAGES[@]}"; do
-          echo "Checking scan results for $IMAGE-$IMAGE_VERSION..."
-          # Wait for scan to complete (max 10 minutes)
-          for i in {1..60}; do
-            SCAN_STATUS=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanStatus.status' --output text 2>/dev/null || echo "IN_PROGRESS")
-            if [ "$SCAN_STATUS" = "COMPLETE" ]; then
-              echo "Scan completed for $IMAGE-$IMAGE_VERSION"
-              # Get vulnerability counts
-              CRITICAL=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.CRITICAL' --output text 2>/dev/null || echo "0")
-              HIGH=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.HIGH' --output text 2>/dev/null || echo "0")
-              echo "Vulnerabilities found in $IMAGE-$IMAGE_VERSION: CRITICAL=$CRITICAL, HIGH=$HIGH"
-              # Fail build if critical vulnerabilities found
-              if [ "$CRITICAL" != "0" ] && [ "$CRITICAL" != "None" ]; then
-                echo "ERROR: Critical vulnerabilities found in $IMAGE-$IMAGE_VERSION. Build failed."
-                exit 1
-              fi
-              break
-            elif [ "$SCAN_STATUS" = "FAILED" ]; then
-              echo "WARNING: Vulnerability scan failed for $IMAGE-$IMAGE_VERSION"
-              break
-            fi
-            echo "Scan in progress for $IMAGE-$IMAGE_VERSION... (attempt $i/60)"
-            sleep 10
-          done
-          if [ "$SCAN_STATUS" != "COMPLETE" ]; then
-            echo "WARNING: Scan did not complete within timeout for $IMAGE-$IMAGE_VERSION"
+          SCAN_STATUS=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanStatus.status' --output text 2>/dev/null || echo "IN_PROGRESS")
+          if [ "$SCAN_STATUS" = "COMPLETE" ]; then
+            CRITICAL=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.CRITICAL' --output text 2>/dev/null || echo "0")
+            HIGH=$(aws ecr describe-image-scan-findings --repository-name $(basename $ECR_URI) --image-id imageTag=$IMAGE-$IMAGE_VERSION --region $AWS_REGION --query 'imageScanFindings.findingCounts.HIGH' --output text 2>/dev/null || echo "0")
+            echo "  $IMAGE-$IMAGE_VERSION: COMPLETE - CRITICAL=$CRITICAL, HIGH=$HIGH"
+          elif [ "$SCAN_STATUS" = "FAILED" ]; then
+            echo "  $IMAGE-$IMAGE_VERSION: FAILED"
+          else
+            echo "  $IMAGE-$IMAGE_VERSION: IN_PROGRESS"
           fi
         done
-      - echo "Vulnerability scanning completed for all images"
+        echo "Build complete. Review scan results in ECR console after scans finish."
diff --git a/patterns/pattern-2/template.yaml b/patterns/pattern-2/template.yaml
@@ -156,6 +156,8 @@ Resources:
         rules_to_suppress:
           - id: W11
             reason: "Wildcard permissions required for CloudWatch Logs creation"
+          - id: W12
+            reason: "Amazon Inspector ListCoverage and ListFindings require wildcard resource per AWS documentation"
     Properties:
       Path: /
       AssumeRolePolicyDocument:
@@ -201,6 +203,20 @@ Resources:
                 Action:
                   - ecr:DescribeImageScanFindings
                   - ecr:StartImageScan
+              # Required for Amazon Inspector Enhanced Scanning
+              # https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced-iam.html
+              - Resource: "*"
+                Effect: Allow
+                Action:
+                  - inspector2:ListCoverage
+                  - inspector2:ListFindings
+              # Required when ECR repository uses customer-managed KMS key encryption
+              - Resource:
+                  - !Ref CustomerManagedEncryptionKeyArn
+                Effect: Allow
+                Action:
+                  - kms:Decrypt
+                  - kms:CreateGrant
 
   Pattern2ECRRepository:
     Type: AWS::ECR::Repository
