Open delafuentejc opened 3 years ago
I'd like to add that this is a showstopper for ECR vuln scanning adoption. There are just times the CVEs aren't relevant (vuln kern package in an ubuntu docker container) and if we're going to break builds for CVEs, we need to be able to account for that.
This feature is already supported in ECR Enhanced Scanning/Amazon Inspector. See doc link here.
This feature is already supported in ECR Enhanced Scanning/Amazon Inspector. See doc link here.
This is interesting because we're currently getting scan results from images in ECR without having even activated Inspector. So, how is this working?
We've configured image repos in ECR to scan, and are using ournova/aws-ecr-image-scan
in our pipeline to obtain the results and fail on >= HIGH vulnerabilities.
To activate another paid-for AWS product to prevent non-applicable CVES failing the build doesn't feel like the right answer here.
Community Note
Tell us about your request We would like to be able to whitelist some vulnerabilities when doing an ECR scanning
Which service(s) is this request for? ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We have a Docker image in an ECR repository. Scanning the image reports one vulnerability about a library we're using. According to the library documentation, the vulnerability is fixed in the version of the library we're using and it could be a false positive. We're thinking about several actions to follow. One of them is whitelisting this specific vulnerability, but it's not possible with AWS ECR scanning.
Are you currently working around this issue? We're using another Linux base image, but the new generated image is bigger than the original one, about 3 times bigger.