How To

ECR vulnerability scanning

Automate vulnerability scanning in all your ECR repositories.

Turbot Team
5 min. read - Jun 24, 2021
Automate vulnerability scanning in all your ECR repositories.

Amazon Elastic Container Registry (Amazon ECR) can be used to host private container image repositories in AWS. This allows teams great flexibility in choice of centralizing or federating repositories for your application teams.

One of the key benefits of moving to a container architecture for your application is to microsegment application functionality with immutable containers for greater security. To maintain that secure configuration, the software libraries used in each container should be scanned for vulnerabilities.

The open source Clair project maintains a list of known vulnerabilities and tools for static analysis of your application containers. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the Clair project and provides a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed.

You can manually scan container images stored in Amazon ECR. Or, alternatively, you can configure your repositories to scan images when you push them to a repository.

Today we look at how you can configure Turbot Guardrails to enforce automated scanning of every container when they are pushed to your AWS ECR repositories.

Traditional Workflow

The popularity of ECR with application development teams means that you may have dozens (or hundreds) of ECR Repositories across your environment and new ones will be created at any time. Relying on application teams to manually enable scan on push configuration in their development environments can lead to last minute discovery of issues as those teams release software. Automation is needed to support discovery of existing and future ECR repositories, and automated configuration of the scan on push setting.

Get it done with Turbot Guardrails

In Turbot Guardrails, Amazon ECR Repository guardrails are readily available to control your cloud resource configurations. We can set the automation AWS > ECR > Repository > Scan on Push policy in just a few clicks:

Setting the configuration via our Turbot Guardrails Terraform Provider is just as simple:

After setting these policies, Turbot will identify all ECR repositories without Scan on Push enabled and then handle remediation (i.e. enable Scan on Push).

If you are not yet ready to enforce remediation, you can still assess your environment's ECR Repository Scan on Push compliance by setting the value of the policy to Check: Enabled at the Turbot level. In 'Check' mode Turbot Guardrails will alarm on Amazon ECR Repositories that do not have Scan on Push in place. After review of the alarms, selectively apply the enforcement settings or create exceptions as desired.

Given that Scan on Push may not be applicable for all repositories, make use of Turbot Guardrails policy exceptions and time-based expiration settings features to mark exceptions to the rule or automatically reset a configuration when the exception expires.

Make it happen!

See for yourself how easy it is to manage your image scanning requirements across your cloud resources. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!