Scanning Amazon Elastic Container Registry (ECR) Images
Scan your Amazon ECR images for vulnerabilities
You will need an Intel-based Linux client system to run the RapidFort scanner (rfscan).
Your client system can be a CI/CD pipeline runner (e.g. GitLab or Jenkins) or a system with the appropriate permissions to access Amazon ECR, Amazon S3, and the RapidFort SaaS or RapidFort On-Premises Instance.
Your client system will need the following dependencies installed:
- Python 3.x (we recommend Python 3.8 or later) and pip3
- Docker
- Amazon AWS Command Line Interface Tools (we recommend version 2.x)
Your client system will need access to the following:
- Amazon Elastic Container Registry (ECR)
- Amazon S3
- RapidFort SaaS or RapidFort On-Premises Instance
Install dependencies on your client system:
- Python 3.x (we recommend Python 3.8 or later) and pip3
- Docker
- Amazon AWS Command Line Interface Tools (we recommend version 2.x)
Configure your client system with access to Amazon ECR. You may need to create an IAM role and policy.
Verify that you are able to pull Docker images from Amazon ECR.
$ docker pull <registry_id>.dkr.ecr.<region>.amazonaws.com/<repository>:<tag>
For example:
$ docker pull 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:v1.0.100
If you plan to scan your registry, verify that you are able to run
describe-repositories
and describe-images
(you may need to assume an IAM role beforehand):$ aws ecr describe-repositories --registry-id=<registry_id>
$ aws ecr describe-images --registry-id=<registry_id> --repository=<repository>
For example:
$ aws ecr describe-repositories --registry-id=12345678910
$ aws ecr describe-images --registry-id=12345678910 --repository=frontend
Install the RapidFort Command Line Interface (CLI) tools.
RapidFort SaaS:
$ curl https://api.rapidfort.com/cli/ | bash
RapidFort On-Premises:
$ curl https://<rapidfort_host>/cli/ | bash
After installing the RapidFort CLI tools, verify that you are able to log into RapidFort:
$ rflogin <email_address>
If your images will already be available locally on your client system, then you do not need to configure rfscan to pull images from your registry.
Otherwise, if you need rfscan to pull images from your registry or if you would like to scan your registry, then please follow the instructions in Configuration File to set up your
rfscan.yaml
configuration file.There are 2 ways to scan images.
Provide each image as a command-line parameter.
$ rfscan <registry>/<repository0>:<tag0> <registry>/<repository1>:<tag1> \
<registry>/<repository2>:<tag2> ...
For example:
$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0
Create a text file that contains one image per line and provide the path to the text file as a command-line parameter.
<registry>/<repository0>:<tag0>
<registry>/<repository1>:<tag1>
<registry>/<repository2>:<tag2>
$ rfscan <path_to_image_list_file>
For example:
~/image_list_file
123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0
$ rfscan ~/image_list_file
To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.
$ rfscan <images or image list file> -t <tag_name> -d <tag_description>
For example:
$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0 \
-t jenkins_123456 -d "Jenkins #123456"
$ rfscan ~/image_list_file -t scan_20220107 -d "Scan on 2022-01-07"
If you would like to scan your registry, then follow the instructions in Configuration File to set up your
rfscan.yaml
configuration file.To scan your registry, provide the registry server as a command-line parameter:
$ rfscan <registry>
For example:
$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com
To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.
$ rfscan <registry> -t <tag_name> -d <tag_description>
For example:
$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com \
-t registry_scan_20220107 -d "Registry Scan 2022-01-07"
Workload tags are optional but recommended. Using workload tags enables filtering images by tag in the RapidFort UI.
By default, scan reports will be saved in
~/rapidfort/reports/<timestamp>.
This can be overridden with the --reports_folder
command-line parameter.