Automatically tag your Docker images as vulnerable in ECR

• clair

  21 10,095 9.2 Go

  Vulnerability Static Analysis for Containers

  

Amazon Elastic Container Registry is a fully-managed Docker container registry. It makes it easy for developers to store and manage Docker images inside their AWS environment. ECR supports two types of image scanning. Enhanced image scanning requires an integration with Amazon Inspector. It will scan your repositories continuously. Basic image scanning will use the Common Vulnerabilities and Exposures (CVEs) database (open-source Clair) to find vulnerabilities in your images. You can trigger scans on image push or manually.

• containers-roadmap

  80 5,162 2.0 Shell

  This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).

  

The solution is working! Still there are some "missing" features. As already mentioned, the OR Condition in the Eventbridge rule is not working. So we're currently only filtering for CRITICAL images. Next it would be nice if we could use Docker image tag prefixes in IAM policies, so we can deny that vulnerable images are being pulled. In my solution I'm removing images with this tag prefix after 5 days.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• ecr-vulnerable-image-tagger

  1 0 3.2 Python

  Solution which automatically tags images when they contain vulnerabilities

That being said, I hope you enjoyed reading this post and that you will start thinking about vulnerabilities in Docker images! The full solution is available on my GitHub.

Suggest a related project