Implement GHA workflow that runs Enhanced Image Scans on container builds and pushes

[coreycarvalho]

User Story - Business Need

After the spike on Enhanced Image Scanning, we determined we want to implement AWS Enhanced Image Scanning as part of our CI/CD workflow. This will work similar to how Twistlock works now (running as a separate workflow during the CD pipeline, but not failing the entire pipeline). Instead, we want to alert slack of we do not meet our security thresholds of the image scan.

• Ticket is understood, and QA has been contacted (if the ticket has a QA label).

User Story(ies)

As a VA Notify Developer
I want Enhanced Image Scanning baked into CD with Slack alerting
So that we can keep on top of security vulnerabilities.

Additional Info and Resources

We will be utilizing the official AWS GHA for this work: on-inspector?tab=readme-ov-file#build-and-scan-container-images

Acceptance Criteria

• When the CD pipeline runs, a workflow kicks off that runs AWS Enhanced Image Scanning on the built Docker image
  • The workflow will fail if we exceed our threshold of critical and/or high vulnerabilities
  • The CD pipeline will not fail if the image scanning workflow fails
• The twistlock workflow is disabled (but not deleted)
• This work is added to the sprint review slide deck (key win bullet point and demo slide)

QA Considerations

Potential Dependencies

We will not be deleting any Twistlock infrastructure or GHA workflows as part of this work.

[npmartin-oddball]

POC: Jonathan Kamens; vfs-platform-support

[coreycarvalho]

I opened a yourIT ticket to get inpsector permissions added to our project-admin permissions boundary. Once that has been added, I can proceed with this work.

[coreycarvalho]

No update on the yourIT ticket -- still waiting for permission boundaries to be updated.

[coreycarvalho]

Update on the ticket: it was closed out with a comment indicating that the ticket needs to be opened up under a different service in yourIT. I opened that ticket today and hopefully will hear back soon.

[coreycarvalho]

The request in yourIT has been approved. I have been moved through the flow and have been told to not take action. They will update the IAM permission boundary shortly.

[coreycarvalho]

There is an approver marked on the yourIT ticket. I left a comment on the ticket asking if there is anything I need to do in order to help move the approval process along. If I don't hear a response by end of week, I'll reach out to our PO.

[mjones-oddball]

Corey escalated to Dave and I for help. I reached out to Angela (the approver) via email and she approved.

[coreycarvalho]

Permissions for inspector2 were added to the boundary, but permissions were not added for "inspector-scan:*", which is ultimately what we need to perform these scans via the API. I left a comment on the yourIT ticket asking for the additional scan permissions.

Continuing to play the waiting game.