Container Image Scanning with Amazon ECRwith Amazon ECR
by Gizem Gür20 Temmuz 20203 min read
by Gizem Gür
Amazon Elastic Container Registry (ECR) service provides fully-managed Docker container registry service to store, manage and deploy Docker container images on the AWS Platform. You can store with versioning and it is integrated with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) for you to deploy registered containers automatically.
Amazon ECR stores container images on Amazon S3, so it inherits all reliability and durability features that Amazon S3 provides.
Without paying anything extra or deploying a third-party scanning tool, you can use Amazon ECR image scanning to scan your Docker container images against Common Vulnerabilities and Exposures (CVEs). Amazon ECR uses the CVE database from the open-source CoreOS Clair project and provides you with a list of scan findings and scores vulnerabilities. Amazon ECR supports static container image scanning for major versions of Amazon Linux, Amazon Linux 2, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL Linux distributions.
You can either manually trigger the scanning of images that are stored on Amazon ECR or you can configure your container repository to scan images when you push them to the repository.
aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2
aws ecr put-image-scanning-configuration --repository-name name --image-scanning-configuration scanOnPush=true --region us-east-2
You can access scan results and findings from Amazon Management Console or you can retrieve image scan findings via AWS CLI.
You can integrate Amazon ECR with Amazon EventBridge to take auto-actions after the scanning is completed. Amazon EventBridge integration allows you to take auto-remediation actions or send notifications and alerts to users.
If you have any obligation to store the previous scan results, you can use the following AWS Cloudformation script to store finding results on a S3 bucket automatically after every scan.
Cloudformation script is deploying four components: ECR Repository, EventBridge, Lambda function and S3 bucket.
ECR repository which on-push scan is enabled, you can name your repository using the RepositoryName parameter.
EventBridge will connect your repository and lambda function to trigger lambda function when the image scanning is completed.
Lambda function will retrieve the latest scan result and store that on a private S3 bucket that you will name using BucketName parameter.
You can get more information about Amazon ECR Container Image Scanning from following links:
Amazon ECR: https://aws.amazon.com/ecr/
Image Scanning / Amazon ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
Amazon EventBridge: https://aws.amazon.com/eventbridge/
Amazon ECR Events and EventBridge: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html
CoreOS Clair: https://github.com/quay/clair
CVE Database: https://cve.mitre.org
Always remember that security matters, and let us know if you have any feedbacks or questions from, hello@sufle.io
Once a software developer now an AWS Certified Solutions Architect Professional, Gizem is always eager to take on professional challenges. Her meticulousness at her workings follows her passion for learning and sharing her knowledge with tech-savvy professionals and communities.
Check out our latest updates and articles on our usage of technology, solutions and guidances.
We use cookies to offer you a better experience.
