You are currently viewing How to scan images in ECR container registry using AWS inspector?

How to scan images in ECR container registry using AWS inspector?

How to scan images in ECR container registry using AWS inspector?

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

Today we will discuss how to setup image scanning on push in ECR container registry with AWS inspector service using AWS CLI and review the findings report.

What is Elastic Container Registry (ECR)?

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.

What is image scanning in ECR?

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. The following scanning types are offered.

Enhanced scanning: Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.

Basic scanning: Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings.

What is image scanning filters in ECR?

When an image scanning type is configured, you may specify that all repositories be scanned or you can specify filters to scope which repositories are scanned. Image scan filters are supported for both the basic and enhanced scanning types.

When a filter is specified, a filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name.

What is Amazon Inspector?

Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

When a software vulnerability or network issue is discovered, Amazon Inspector creates a finding. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and provides remediation guidance. Details of a findings for your account can be analyzed in multiple ways using the Amazon Inspector console, or you can view and process your findings through other AWS services.

How to scan images in ECR container registry using AWS inspector?

Prerequisites:

AWS CLI and Docker installed and configured.

You can use below link to install and configure AWS CLI and Docker.

https://cloudaffaire.com/how-to-install-aws-cli/

https://cloudaffaire.com/how-to-configure-aws-cli/

https://cloudaffaire.com/how-to-install-docker-in-aws-ec2-instance/

Step 1: Create a new private container image repository in ECR

Observe: We have disabled image scanning on the repository level. Instead, we will setup image scanning on ECR registry level and scan images pushed to this private repository using filters.

Step 2: Configure image scanning on push in ECR registry using filters.

Note: An image in ECR registry can be scanned manually, on push or on continuous basis.

Step 3: Get image scanning configuration details in ECR

You can also view the image scanning configuration in AWS console under ECR service “scanning”.

How to scan images in ECR container registry using AWS inspector?

Next, we will create a docker image and push the image to our private ECR repository. This will trigger the image scanning using Amazon inspector.

Step 4: Create a new docker image and push the image to your private ECR repository.

Step 5: Get the image scanning findings:

You can also view the findings in AWS console under ECR and Inspector service.

In ECR console:

How to scan images in ECR container registry using AWS inspector?

In Inspector console:

How to scan images in ECR container registry using AWS inspector?

Note: Using this finding, you can fix all the security vulnerabilities present in your image

Step 6: Clean up

Hope you have enjoyed this article, to get more details on AWS ECR and Amazon Inspector, please follow below link.

https://docs.aws.amazon.com/ecr/index.html

https://docs.aws.amazon.com/inspector/index.html

Leave a Reply