MENU
Architecting AWS with CloudFormation
  1. Home
  2. AWS_EN
  3. Enable image scanning at ECR repository level

Enable image scanning at ECR repository level

TOC

Enable image scanning at ECR repository level

One of the features offered by the ECR repository is image scanning.

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.

Image scanning

This time, we will enable image scanning at the ECR repository level.

Please note that this procedure is now deprecated.
For information on how to enable scanning on push in the recommended manner, please see below.

あわせて読みたい
Enable image scanning at ECR registry level 【Enable image scanning at ECR registry level】 One of the features provided by the ECR repository is image scanning. Amazon ECR image scanning helps in iden...

Environment

Diagram of enable image scanning at ECR repository level.

Create an ECR.
Enable scanning on image push at the repository level.

CloudFormation template files

Build the above configuration with CloudFormation.
The CloudFormation templates are located at the following URL

https://github.com/awstut-an-r/awstut-fa/tree/main/082

Explanation of key points of the template files

This page focuses on how to enable scanning on push at the repository level.

For information on how to use CloudFormation custom resources to automatically delete images in the ECR repository when deleting the CloudFormation stack, please see the following page

あわせて読みたい
Delete ECR images using CloudFormation Custom Resources 【Delete ECR images using CloudFormation Custom Resources】 If you use CloudFormation to create an ECR and push an image to it, you may encounter an error du...

ECR

Resources:
  ECRRepository:
    Type: AWS::ECR::Repository
    Properties:
      ImageScanningConfiguration:
        ScanOnPush: true
      RepositoryName: !Ref Prefix
Code language: YAML (yaml)

ImageScanningConfiguration property is used to configure settings related to image scanning.
This feature can be enabled by setting “true” to the ScanOnPush property.

(Reference) Dockerfile

FROM amazonlinux
Code language: Dockerfile (dockerfile)

Create your own image based on Amazon Linux 2.

Architecting

Use CloudFormation to build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stack

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

After checking the resources in each stack, information on the main resources created this time is as follows

  • ECR repository: fa-082

Check the created resources from the AWS Management Console.
Check the ECR repository.

Detail of ECR 1.

Under Scan frequency, you will see “Scan on push”.
This indicates that this feature is enabled.

Check the details of the image scanning functionality in this repository.

Detail of ECR 2.

Here, too, we can see that scanning is enabled on push.
On the other hand, the warnings indicate that it is deprecated to enable this feature on a per-repository basis.

Check Action

Now that we are ready, we push the image to this repository.
To push, execute the following command

Detail of ECR 3.

After pushing the image, check the repository again.

Detail of ECR 4.

The Scan status item is “Complete”.
This indicates that the scan was performed automatically when the image was pushed.

Check the “details” under Vulnerabilities.

Detail of ECR 5.

The detected vulnerabilities are displayed with their severity.

Thus, we have confirmed that by enabling scan on push at the ECR repository level, images can be scanned automatically.

Summary

We have confirmed how to enable scan on push at the ECR repository level and its effectiveness.

AWS_EN
ECR_EN
TOC