Scan Docker Images in Amazon ECR and Retrieve Scan Findings

Sahan Gunathilaka
6 min readOct 8, 2020

--

A brief into Amazon ECR

Amazon ECR or Amazon Elastic Container Registry is another amazing service that is provided by AWS. It makes developers’ lives easy by providing a simple way to store, maintain, and use Docker Container Images as they wish. Among broad range of common services from AWS, Amazon ECR has some smart features such as resource-based policy support, life cycle policy support, and the Docker Image Scanning as the targeted topic of this story.

Further, there is no upfront fees for Amazon ECR and we just have to pay for the storage we use for storing images and data transferred to the Internet when interact with images.

Docker Image scanning inside Amazon ECR

Amazon ECR supports Docker Image scanning by default and the main point is that the image should be successfully pushed to the ECR first. There are two methods that we can use to scan pushed images.

  1. Scan on Push (Automatic)

This is an automatic approach where the pushed image will be scanned just after it is pushed to the registry. If we need to scan docker images when it is pushed to the ECR automatically, we have to enable this scan type when create the ECR (obviously it supports to enable/disable automatic scan after creating the ECR too). Figure 1 below shows the option to enable it at the ECR creation. The same will be appeared in the edit section after it is created.

Figure 1: Scan on push option at ECR creation

If this is enabled, ECR will automatically start the scan when a new Docker container image has been pushed to the registry. Scan findings will be saved inside the ECR itself and respectively for each image. Scan findings (vulnerabilities) are shown in the the same row of the image tag inside the registry with the status of scanning too (figure 2 below).

Figure 2: Sample view for images stored in an ECR with scan findings
  1. Manual Scan

As its name implies, this is a manual approach. We need to start the scan manually once the required image is pushed to the registry. Either AWS Console for ECR or AWS CLI can be used to start manual scan for a specific image. The “Scan” option in AWS Console can be used to after selecting the required image as shown in the figure 3 below, if it is done via AWS Console.

Figure 3: Manual Scan option in AWS Console

This can be done using AWS CLI commands too as below.

aws ecr start-image-scan --repository-name <image-repository-name> --image-id imageTag=<Image-Tag>

OR

aws ecr start-image-scan --repository-name <image-repository-name> --image-id imageDigest=<Image-Digest>

These two methods do the scan in the same way and save the results as mentioned above.

Amazon ECR only allows a single scan per image per day to perform. This includes any of the scanning methods discussed above.
So far, we know how we can scan Docker container images inside Amazon ECR and where we can see scan finding from. If we go into more what is the base for these scans in Amazon ECR, it is here!

What is the base for image scan in Amazon ECR?

Amazon ECR also uses a widely used database for finding vulnerabilities in its images called as Common Vulnerability and Exposures (CVEs) database. After scanning images against this database, ECR provides identified vulnerabilities at six different levels of severity such as Critical, High, Medium, Low, Informational, and Undefined. If the upstream distribution source is available, ECR uses it for labeling vulnerabilities with severity levels. Otherwise, it uses the Common Vulnerability Scoring System (CVSS) score to label.

How to retrieve scan findings?

You may need these scans to be used in some of your automated software/product release process. Hence, you may look for a mechanism to automatically fail the release process when there are vulnerabilities in Docker container images created in the release flow. I’ll provide how this can be achieved via AWS CLI. Of course you may go for AWS SDK for this too. However, the approach might be quite similar and I’ll show you the method via AWS CLI.

Retrieving Scan Findings and automate the release flow

Consider you are at the point where you just built the Docker image for your product. Now you need to upload it to Amazon ECR. If you have enabled Scan on push method for scanning images, the scanning process will be automatically started. Therefore, consider that you have enabled it.
(If you wish to use Manual scan approach, you can execute the above mentioned AWS CLI command after image is pushed successfully)

The image is built, pushed, and scan is started (automatically or manually) by now. The very important task is that you need to check whether the scan is completed successfully. The following command will wait and check whether the scan is completed.

  1. Wait until the scan is completed.
aws ecr wait image-scan-complete --repository-name <image-repository-name> --image-id imageTag=<image-tag>

The imageDigest can be used here as well instead of imageTag. This command will poll in every 5 seconds to check whether it is completed and it will try maximum 60 polls. If it is not completed within that, the command will end up with 255 exit code. If it is completed within these tries, the command will end up with 0 exit code.

2. Retrieve Scan Finding if the scan is completed.

The following AWS CLI command will bring you scan findings for a completed scan. Therefore, you may check the exit code of the step 1 above and if it is 0, you can execute the following command to retrieve scan findings.

aws ecr describe-image-scan-findings --repository-name <image-repository-name> --image-id imageTag=<image-tag>

The implementation for checking vulnerabilities will be vary according to requirements. Hence, the retrieved scan findings can be analyzed in any way that would be matched most to a particular deployment/release process. Following is a template of retrieving scan findings (an output for the AWS CLI command).

"imageScanFindings": {
"findings": [
{
"name": "name",
"description": "description",
"uri": "uri",
"severity": "MEDIUM",
"attributes": [
{
"key": "sample",
"value": "data"
}
]
}
],
"imageScanCompletedAt": 123982305.0,
"vulnerabilitySourceUpdatedAt": 1129812317.0,
"findingSeverityCounts": {
"MEDIUM": 1
}
},
"registryId": "0000000",
"repositoryName": "sample",
"imageId": {
"imageDigest": "sha256 value"
},
"imageScanStatus": {
"status": "COMPLETE",
"description": "sample"
}
}

A Simple bash script for deciding and identifying vulnerabilities!

#!/usr/bin/env bashaws ecr start-image-scan --repository-name my-repo --image-id imageTag=v0.1
aws ecr wait image-scan-complete --repository-name my-repo --image-id imageTag=v0.1
if [ $(echo $?) -eq 0 ]; then
SCAN_FINDINGS=$(aws ecr describe-image-scan-findings --repository-name $ECR_IMAGE_NAME --image-id imageTag=$IMAGE_TAG | jq '.imageScanFindings.findingSeverityCounts')
CRITICAL=$(echo $SCAN_FINDINGS | jq '.CRITICAL')
HIGH=$(echo $SCAN_FINDINGS | jq '.HIGH')
MEDIUM=$(echo $SCAN_FINDINGS | jq '.MEDIUM')
LOW=$(echo $SCAN_FINDINGS | jq '.LOW')
INFORMATIONAL=$(echo $SCAN_FINDINGS | jq '.INFORMATIONAL')
UNDEFINED=$(echo $SCAN_FINDINGS | jq '.UNDEFINED')
if [ $CRITICAL != null ] || [ $HIGH != null ]; then
echo Docker image contains vulnerabilities at CRITICAL or HIGH level
aws ecr batch-delete-image --repository-name my-repo --image-ids imageTag=v0.1 #delete pushed image from container registry
exit 1 #exit execution due to docker image vulnerabilities
fi
fi

Note that the above script just looks at CRITICAL or HIGH level vulnerabilities and break the flow if there is any at those levels. This is a simple one to describe the process and someone may use a complex one than this.

Conclusion

We discussed about Amazon ECR in brief and how it scans images which are pushed to a registry. Also, discussed about Scan on push and Manual Scan methods to scan images in ECR. AWS Console usage as well as AWS CLI usage for them were discussed in order to explain them simply. Finally, discussed about how we can automate software/product release process with defining a way to break the flow if there is any vulnerability detected in the scan.

Keep your happy reading up!! Stay safe and healthy!!

--

--

Sahan Gunathilaka
Sahan Gunathilaka

Written by Sahan Gunathilaka

DevOps Engineer | Microsoft Certified: Azure Administrator Associate | CKAD | Blogger | Sportsmen | Happy Soul

Responses (3)