Automating Docker Image Builds with GitHub Actions and AWS ECR

Amaresh Pelleti

In today’s software development landscape, automation is key to streamlining workflows and ensuring efficiency. One common task in modern application development is building and deploying Docker images. In this guide, we’ll walk through setting up a GitHub Actions pipeline to automatically build and push Docker images to AWS Elastic Container Registry (ECR).

What You’ll Need

Before we dive in, make sure you have the following:

  • A GitHub repository containing your Dockerized application.
  • An AWS account with permissions to access ECR.
  • Basic familiarity with Docker and AWS concepts.

Step 1: Setting up GitHub Actions

GitHub Actions allows you to automate tasks directly within your GitHub repository. We’ll create a workflow file to define our build and push process. You can find the repository for this guide here.

name: AWS Build and publish a Docker image
on:
  push:
    branches:
      - '*'

# Define environment variables
env:
    REGISTRY: 168237387713.dkr.ecr.ca-central-1.amazonaws.com
    IMAGE_NAME: aws_cli
    COMPARE_TAG: latest
    SHA: ${{ github.event.after }}

# Define jobs
jobs:
  build:
    name: AWS Build & push docker image
    runs-on: ubuntu-latest

    steps:
      # Checkout the repository code
      - name: Checkout
        uses: actions/checkout@v3
        with:
            ref: ${{ env.SHA }}

      # Lint Dockerfile
      - name: Lint Action for AWS
        uses: hadolint/[email protected]
        with:
            dockerfile: aws/Dockerfile
            ignore: DL3018,SC2046,DL4006
            failure-threshold: warning
            no-color : false
            no-fail: true

      # Build Docker image
      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: aws/
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}

      # Configure AWS Credentials
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}

      # Login to Amazon ECR
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

Step 2: Adding Security Scanning

Lastly, we’ll perform a security scan using Trivy to ensure the integrity of our Docker image.

      # Run Trivy vulnerability scanner
      - name: Run Trivy vulnerability scanner
        id: docker-scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ steps.login-ecr.outputs.registry }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}'
          format: 'table'
          exit-code: '0'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'

Conclusion

By following this guide, you’ve set up a robust GitHub Actions pipeline to automate your Docker image builds and deployments to AWS ECR. This not only saves time but also ensures consistency and reliability in your development process. Happy automating!