[ECR] [request]: Exclude kernel-related CVEs from container scan results

[kamzil]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Already mentioned at https://github.com/aws/containers-roadmap/issues/798#issuecomment-623847952 but not yet resolved. Currently, the AWS Inspector container scan results display Linux kernel vulnerabilities, even though the container is running on top of the host kernel, which is not dependent on the container image. Therefore, these entries in the results are false positives, or something that we can't affect, and should be excluded to reduce noise.

Which service(s) is this request for? ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Problem is too much unnecessary noise in scan results. Goal is to reduce it.

Are you currently working around this issue? No

Additional context No

Attachments No

[mikecook]

For those here looking to prevent image kernel false positives while we await a fix, this worked:

AWS Inspector > Suppression Rules > Create
Suppression rule details > Suppression rule filters 
Resource type: AWS ECR Container Image
Package: name EQUALS linux

Inspector2 Suppression Rules do not yet exist in Terraform at this moment https://github.com/hashicorp/terraform-provider-aws/issues/34165