Our great sponsors
-
containers-roadmap
This is the public roadmap for AWS container services (ECS, ECR, Fargate, and EKS).
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
ecr-vulnerable-image-tagger
Solution which automatically tags images when they contain vulnerabilities
Amazon Elastic Container Registry is a fully-managed Docker container registry. It makes it easy for developers to store and manage Docker images inside their AWS environment. ECR supports two types of image scanning. Enhanced image scanning requires an integration with Amazon Inspector. It will scan your repositories continuously. Basic image scanning will use the Common Vulnerabilities and Exposures (CVEs) database (open-source Clair) to find vulnerabilities in your images. You can trigger scans on image push or manually.
The solution is working! Still there are some "missing" features. As already mentioned, the OR Condition in the Eventbridge rule is not working. So we're currently only filtering for CRITICAL images. Next it would be nice if we could use Docker image tag prefixes in IAM policies, so we can deny that vulnerable images are being pulled. In my solution I'm removing images with this tag prefix after 5 days.
That being said, I hope you enjoyed reading this post and that you will start thinking about vulnerabilities in Docker images! The full solution is available on my GitHub.
Related posts
- Announcing pull through cache for registry.k8s.io in Amazon Elastic Container Registry
- Threat Detection on EKS – Comparing Falco and GuardDuty For EKS Protection
- EKS, grupos IAM, "dono do cluster" e system:masters
- Architecting for Resilience: Crafting Opinionated EKS Clusters with Karpenter & Cilium Cluster Mesh — Part 1
- Running a Web Application with 100% AWS Fargate Spot Containers 🤘