By Thabo Lebelo in Docker

Scan Docker images for vulnerabilities with AWS ECR

Amazon ECR is a fully managed container registry used to store, manage and deploy container images. ECR Image Scanning assesses and identifies operating system vulnerabilities. Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production.

AWS ECR uses Common Vulnerabilities and Exposures (CVEs) databases for findings. ECR APIs notify if vulnerabilities were found when a scan completes.

You can enable the scans on push feature for your repositories to ensure every image automatically goes through a vulnerability scanning.

Step 1: Enable automatic scan for images

You need to ensure ECR image scan on push is enabled for your repository. You can enable the scan on push feature via the AWS Console or CLI:

AWS Console

  1. Log in to the AWS Management Console.
  2. Open the Amazon ECR console.
  3. Select a repository using the radio button.
  4. Click Edit.
  5. Enable the Scan on push toggle.

CLI Command

We can use the PutImageScanningConfiguration API to update the image scanning configuration for the specified repository:

aws ecr put-image-scanning-configuration \
--repository-name <reponame> \
--image-scanning-configuration scanOnPush=true
An image will be scanned after being pushed to the repository

How can you enable scan on push for all your AWS repositories?

We can use the CLI to execute a bash script (a plain text file which contains a series of commands) that enables scan on push for all repos. Create a enable_scan_on_push.sh file:  

#!/bin/bash

for REPO in `aws ecr describe-repositories --page-size 1000 --output text | awk '{print $6}'`; do
 aws ecr put-image-scanning-configuration \
 --repository-name $REPO \
 --image-scanning-configuration scanOnPush=true \
 --region us-east-1
done
Change the region if your one differs from us-east-1
  • Run chmod u+x enable_scan_on_push.sh to change the permissions on the file and make it executable.
  • Run ./enable_scan_on_push.sh to execute the bash script from the current directory

Step 2: Gather information and view the results

We can automate getting image vulnerabilities with a simple bash script and the AWS CLI:

#!/bin/bash

TAGS="latest other"

for REPO in `aws ecr describe-repositories --page-size 1000 --output text | awk '{print $6}'`; do
 for TAG in $TAGS; do
  aws ecr describe-image-scan-findings \
   --repository-name $REPO \
   --image-id imageTag=$TAG \
   --output text 2>/dev/null 1>/dev/null
   if [ $? -ne 0 ]; then
    # If no results - request scanning
	aws ecr start-image-scan \
    --repository-name $REPO \
    --image-id imageTag=$TAG \
    --region us-east-2 2>/dev/null
   else
    # If there are results - show with formatting
	echo $REPO:$TAG Image Vulnerabilities:
	aws ecr describe-image-scan-findings \
     --repository-name $REPO \
     --image-id imageTag=$TAG \
     --output text 2>/dev/null | \
	   grep -oe 'CVE.*$' || echo '!!! CONGRATS! NO VULNERABILITIES!!!'
	 echo '------------------------------' && echo ''
	fi
 done
done
# --------------------------------------------------------
Check results of images vulnerability scanning

The TAGS variable describes the tags of images that should be scanned. In our example, only images with tags ‘latest’ and ‘other’ will be scanned.

Summary

After pushing your docker images to the cloud, you can see your scan results on the AWS console in detail. After you get results, you can fix vulnerabilities with security updates. An example report can be seen below: