So you’ve gone ahead and containerized your entire architecture, created Amazon ECR repositories to host it, set up your favorite container orchestration framework and everything seems to be working fine, but did you remember to scan your images for vulnerabilities?
Scan for what?
When most teams are containerizing their software, they usually scroll through Docker Hub searching for the base image that would require them the least amount of work to set up (or perhaps have the smallest possible size), but what most people gloss over is that the images you’re basing your containers off might be vulnerable. Now continuously having to check vulnerability databases for your images before you push any single one is a burden no-one wants to bear which is why Amazon ECR provides you with an Image Scanning feature that scans your image against the Common Vulnerabilities and Exposures (CVEs) database from the open source Clair project. You can read more about it here.
Hooray! Post over, let’s all go back to our normal lives? Not so fast; the thing about discovering vulnerabilities is that it’s a continuous effort. The vulnerability database is always being updated, so an image with no vulnerabilities today might be vulnerable tomorrow! As your team grows, and your number of images grow from a couple of images to tens to hundreds of them, going back and scanning old images (next to the new ones) can become a full-time job in and on itself.
The “ECR Image Scanner” simplifies this endeavor by automating the scanning process. Let’s take a glimpse into how it works.
Amazon ECR provides 2 ways to trigger scans on ECR images.
- The first one is to set up “Scan on Push” which entails that all your images will be scanned (one time) as soon as they’re pushed.
- The second one is to manually trigger scans via Console or the AWS API.
When we first saw this, we were tempted to use the Scan on Push trigger but it turns out that it’s not a good idea; ECR has a scan limit of “1 scan / 24 hours” and since “Scan on Push” will only run the scan once after it’s pushed, you still have to run it manually afterwards for future scans. Since you’ll be pushing images all the time, you’ll be having different scans triggered at different times with a limit of 1 scan / 24 hours resulting in you/your team having to manage all the different shifting schedules to get away with the maximum number of scans possible.
This is why the first component of the “ECR Image Scanner” utility is an AWS Lambda function that runs on schedule and triggers scans on the images you choose.
Now we understand that your CD pipeline is pushing newer image versions all the time and you probably don’t care about vulnerabilities in older image versions. Therefore, it doesn’t make sense to have to always configure the utility with whatever the latest version is. This is why the “ECR Image Scanner” utility will ask for an SSM parameter containing the latest build tag and whenever you push a new one, just update that parameter from the pipeline and the utility will work its magic! You can provide as many parameters as you like!
Responding to Scans
Now we’ve successfully triggered a scan on an image, but how do we get the scan results? It doesn’t make sense for the Lambda to stick around polling for the scan to complete nor does it make sense to trigger every couple minutes to poll if the scan was complete! Wouldn’t it be nice if AWS can just “tell us” asynchronously once the scan is complete? This is what Amazon EventBridge does! By configuring Amazon EventBridge to trigger the “ECR Image Scanner” utility once the scan is complete, the utility can terminate as soon as the scan is triggered and once the scan is complete, Amazon EventBridge will trigger the utility once again for processing. The utility can now employ the specification framework that we implemented to determine whether the results merit a notification. If yes, the utility will notify you immediately on the scan report along with a summary of the report, vulnerability severities, numbers, as well as a link to view the full scan report from the AWS console!
Gotcha: Amazon EventBridge will actually trigger the Lambda for all scan complete events, even if they weren’t triggered by the utility itself. Therefore, the utility is also internally configured to know which scans matter and which do not.
With this utility automating scan requests on your ECR images, you can focus on what you do best and leave all the image scanning, vulnerability reporting, and scan follow-ups to the robots!
Is your organization looking to leverage containers or serverless technologies to improve the scalability, reliability, and cost-effectiveness of your instances on the cloud? Get in touch with our experts to learn how we can help!