Closed ddriddle closed 2 months ago
JonRoma
commented
4 years ago This isn't worth doing unless/until we as an organization develop a vision for what sort of scans should be done on ECR images. @ddriddle, if you and your team have vision about developing suitable security scans in our CI pipeline, I think it would be great if you could add your findings to the comments on this issue.
ddriddle
commented
4 years ago If you want to make it political sure we can talk to Ed, Andy, and the rest of security, but honestly this is a trivial change. From the link above this is what a scan does:
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open source CoreOS Clair project and provides you with a list of scan findings. You can review the scan findings for information about the security of the container images that are being deployed. For more information about CoreOS Clair, see CoreOS Clair.
Basically this would protect against people pushing images of software that is not patched. The scans require no configuration beyond enabling a boolean flag as you can see in the the following example:
resource "aws_ecr_repository" "foo" {
name = "bar"
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}I think turning on scans by default is a good idea. I would like to know what you think. I think it is worth your time to play with this and enable it if not too inconvenient.
JonRoma
commented
2 months ago Closed by #15.
ECR and Terraform now support a new option
image_scanning_configurationthat is missing from this module. We need to add support, and good defaults to allow security scans of ECR repositories:ecr_repository https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
Image Scanning https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html