Use Image Scanning for AWS ECR

Atlassian, Cloud 1 Minute

Amazon just announced that ECR now has the image scanning capability. It is a good News if you use ECR as your Docker image registry, as you just can consume it for free!

A good use case is to add it into your CI pipeline for image scanning. A quick example of scanning the Docker Image atlassian/jira-software:8.3.

#!/bin/bash
# Define your ECR
MY_ECR='<account>.dkr.ecr.<region>.amazonaws.com'
# Sample for scanning atlassian/jira-software:8.3
aws ecr get-login –no-include-email | bash –
aws ecr create-repository –repository-name jira –image-tag-mutability IMMUTABLE –image-scanning-configuration scanOnPush=true
docker pull atlassian/jira-software:8.3
docker tag atlassian/jira-software:8.3 ${MY_ECR}/jira:8.3
docker push ${MY_ECR}/jira:8.3
aws ecr describe-image-scan-findings –repository-name jira –image-id imageTag=8.3
view raw ECR_image_scanning_sample.sh hosted with ❤ by GitHub

Parse the findingSeverityCounts of the scanning results, and mark the build as failed if it has any Medium to High Severity.

    "findingSeverityCounts": {
        "INFORMATIONAL": 10,
        "LOW": 23,
        "MEDIUM": 16
    }

Sample scanning reports:

{
    "imageScanFindings": {
        "findings": [
            {
                "name": "CVE-2019-5094",
                "description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
                "uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5094",
                "severity": "MEDIUM",
                "attributes": [
                    {
                        "key": "package_version",
                        "value": "1.44.1-1ubuntu1.1"
                    },
                    {
                        "key": "package_name",
                        "value": "e2fsprogs"
                    }
                ]
            },
            {
                "name": "CVE-2018-19591",
                "description": "In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.",
                "uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-19591",
                "severity": "MEDIUM",
                "attributes": [
                    {
                        "key": "package_version",
                        "value": "2.27-3ubuntu1"
                    },
                    {
                        "key": "package_name",
                        "value": "glibc"
                    }
                ]
            },
            ...
            ...
            ...
            
        ],
        "imageScanCompletedAt": 1572311104.0,
        "vulnerabilitySourceUpdatedAt": 1572292924.0,
        "findingSeverityCounts": {
            "INFORMATIONAL": 10,
            "LOW": 23,
            "MEDIUM": 16
        }
    },
    "registryId": "XXXXXXXXXXX",
    "repositoryName": "jira",
    "imageId": {
        "imageDigest": "sha256:4ffc32874e0c080f02a456bb2ca70accf3ac753b6dbc723df922ad2fe36bf1b8",
        "imageTag": "8.3"
    },
    "imageScanStatus": {
        "status": "COMPLETE",
        "description": "The scan was completed successfully."
    }
}

Advertisement

Published by Jackie Chen

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s