Regarding Necessity of Child Images in Ping-to-ECR Migration #600
Description
Hello Team,
we are making use of ping images from your repositories within from our workflow
pingdataconsole
pingdatasync
pingdirectory
pingfederate
pingone
pingtoolkit
Please note we use multi architecture platforms, ex- arm64 & amd64 hence we make use of docker multi arc build process
we are using following steps to build the docker image (docker-multiarc-build)
- name: Build
if: ${{ inputs.push }} == false
env:
DOCKERFILE: ${{ inputs.dockerfile }}
REGISTRY: ${{ steps.login-ecr.outputs.registry }}
REPOSITORY: ${{ inputs.repository }}
VERSION: ${{ inputs.version }}
run: docker buildx build --platform ${{ inputs.platforms }} -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:$VERSION .
- name: Push
if: ${{ inputs.push }}
env:
DOCKERFILE: ${{ inputs.dockerfile }}
REGISTRY: ${{ steps.login-ecr.outputs.registry }}
REPOSITORY: ${{ inputs.repository }}
VERSION: ${{ inputs.version }}
run: docker buildx build --push --platform ${{ inputs.platforms }} -f $DOCKERFILE -t $REGISTRY/$REPOSITORY:$VERSION .
When mirroring your images to our ECR, using below block of code
- name: Mirror
run: |
failed_tags=()
for tag in $(crane ls ${{ matrix.repo }} ${{ matrix.filter }}); do
echo $tag
if ! crane copy ${{ matrix.repo }}:$tag ${{ steps.login-ecr.outputs.registry }}/${{ matrix.repo }}:$tag; then
echo "Failed to copy $tag, continuing to next tag..."
failed_tags+=($tag)
fi
done
if [ ${#failed_tags[@]} -ne 0 ]; then
echo "The following tags failed to copy:"
for failed_tag in "${failed_tags[@]}"; do
echo $failed_tag
done
else
echo "All tags copied successfully."
fi
This generates a parent image along with the child images.
We are facing few vulnerabilities are present only in the child images.
This is the output we have when we clone images from ping to our ECR
is the child image is actually required? while copying from ping docker hub to AWS ECR -
we are aiming to Filter copying child images copying to AWS ECR - clone and build workflows