ECR image scanning not meaningful anymore

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code

https://aws.amazon.com/cdk

Apache License 2.0

11.67k stars 3.92k forks source link

ECR image scanning not meaningful anymore #6264

Open jogold opened 4 years ago

jogold commented 4 years ago

:question: General Issue

The Question

Since all ECR assets are now pushed to a single ECR repository with image tags based on the source hash of the docker asset, it becomes very hard to analyze vulnerabilities found by ECR image scanning.

See screenshot:

Could this be solved with additional meaningful tags?

Environment

CDK CLI Version: >= 1.22.0
Module Version: >= 1.22.0
OS: all
Language: all

MrArnoldPalmer commented 4 years ago

@jogold Does any particular tagging strategy come to mind? I would have to dig more into how image scanning runs currently.

jogold commented 4 years ago

Something that gives more context, the path or uniqueId of the node where the asset is added to the stack. If an asset is used in multiple stacks it will get multiple tags.

This requires a change in the current docker logic because even if the image (based on the source hash) already exists we still have to push tags. If build is skipped this means pulling, tagging and pushing back.

Over time when the source hash changes (updated image/docker context), those "contextual" tags will move from one image to another. This could be a solution to quickly identify unused image that should be cleaned up.

hoegertn commented 4 years ago

Is there any progress on this topic? What about one prefix per CDK app? So with one app we can reuse images and the bundling changes do not need to happen but we still know where the image came from. At least the app we need to look into.

github-actions[bot] commented 2 years ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

jogold commented 2 years ago

Still relevant

damnhandy commented 1 year ago

This is still relevant. But it's not limited to just ECR image scanning, but even other container scanning tools as well. There is a lot wrong by dumping every container into a single ECR repo. In our case, not only is it vuln scanning, but lifecycle policy as well. If you have 10 different images in your CDK app and only 1 image goes out of compliance, the entire assets repo gets flagged causing far more problems than you'd think.