This repository introduces an innovative automated remediation pipeline, designed to effectively address vulnerabilities detected by AWS ECR Inspector. By leveraging Generative AI through Amazon Bedrock's in-context learning, this solution significantly enhances the security posture of application development workflows.
Our architecture seamlessly integrates with CI/CD processes, offering a comprehensive and automated approach to vulnerability management. The architecture diagram provided illustrates the solution's key components and their interactions, ensuring a holistic vulnerability remediation strategy.
Automate the vulnerability remediation process, minimizing manual intervention by automatically suggesting and applying fixes for security issues identified by ECR Inspector.
Export environmental variables for AWS region and account ID:
export BASE_PATH=</path/to/your/project>
export AWS_REGION="$(aws configure get region)"
export ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
Generate SSH keys for the automatic PR application:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ${BASE_PATH}/automatic-pr-bedrock/keys/cve_demo
Adjust Terraform variables in terraform-new/variables.tf
to suit your deployment needs.
Initialize Terraform and plan your deployment:
cd ${BASE_PATH}/terraform/
terraform init
terraform plan
Apply the Terraform configuration:
terraform apply --auto-approve
Export the USER_ID
from the codecommit_user_ssh_key_id
terraform output:
export USER_ID=$(terraform output -raw codecommit_user_ssh_key_id)
echo $USER_ID
APKA1234567890ABCDEF
Add the generated SSH key to your ssh-agent:
eval "$(ssh-agent -s)"
ssh-add ${BASE_PATH}/automatic-pr-bedrock/keys/cve_demo
Clone the CodeCommit repositories using SSH URLs obtained from Terraform outputs at the root of your BASE_PATH
.
cd ${BASE_PATH}
git clone ssh://${USER_ID}@git-codecommit.${AWS_REGION}.amazonaws.com/v1/repos/my-amazing-application
git clone ssh://${USER_ID}@git-codecommit.${AWS_REGION}.amazonaws.com/v1/repos/my-awesome-application
Copy the my-amazing-application
files into the cloned repositories and push the changes.
cd ${BASE_PATH}
cp -r ${BASE_PATH}/apps/my-amazing-application/* my-amazing-application/
cd my-amazing-application/
git branch -m master main
git add .
git commit -m "Initial Commit"
git push origin main
Repeat for my-awesome-application
.
cd $BASE_PATH
cp -r ${BASE_PATH}/apps/my-awesome-application/* my-awesome-application/
cd my-awesome-application/
git branch -m master main
git add .
git commit -m "Initial Commit"
git push origin main
Authenticate with AWS ECR:
aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
Login Succeeded
Build and push the Docker image:
cd ${BASE_PATH}/automatic-pr-bedrock/
docker build --build-arg AWS_DEFAULT_REGION=${AWS_REGION} --build-arg USER_ID=${USER_ID} -t ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/automatic-pr-bedrock:latest .
docker push ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/automatic-pr-bedrock:latest
If building using an ARM64 based processor (such as M1 based MacOS)
cd ${BASE_PATH}/automatic-pr-bedrock/
docker buildx build --platform linux/amd64 --build-arg AWS_DEFAULT_REGION=${AWS_REGION} --build-arg USER_ID=${USER_ID} -t ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/automatic-pr-bedrock:latest --push .
Build and push a test image to trigger the pipeline:
cd ${BASE_PATH}/apps/my-amazing-application/
docker build -t ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-amazing-application:latest .
docker push ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/my-amazing-application:latest
Inspector Findings
Look at the Amazon Inspector Findings for the my-amazing-application
repository.
EventBridge Rule Filtering
Ensure EventBridge rules are set to trigger the workflow for CRITICAL
, HIGH
, and MEDIUM
severity levels.
Dynamo DB entry
Unsure that the entry on the aggregate-cve-results
Amazon DynamoDB entry was created and populated with the findings.
Lambda Logs
Check AWS CloudWatch Logs for the Lambda TriggerGenAIService
function.
ECS Service Logs
Review the Amazon ECS cve-automatic-patching-demo
Service logs for execution details.
CodeCommit PRs
Inspect the CodeCommit my-amazing-application
repository for generated pull requests.
When you're finished, you can remove the infrastructure created to limit recurring charges by running the following commands:
Empty the ECR repositories
repositories=("automatic-pr-bedrock" "my-amazing-application")
for repository_name in "${repositories[@]}"; do
echo "Emptying repository: $repository_name"
image_digests=$(aws ecr list-images --repository-name $repository_name --query 'imageIds[].imageDigest' --output text)
for image_digest in $image_digests; do
aws ecr batch-delete-image --repository-name $repository_name --image-ids imageDigest=$image_digest
done
done
Delete the Terraform configuration
cd ${BASE_PATH}/terraform/
terraform destroy