As container adoption in AWS takes off, ECR scanning is the first step towards delivering continuous security and compliance. You need to ensure you are scanning your images pulled from AWS ECR for both vulnerabilities and misconfigurations so that you don’t push applications running on AWS that are exploitable.
Sysdig Secure embeds security and compliance across all stages of the Kubernetes lifecycle. Leveraging 15+ threat feeds, Sysdig Secure provides a single workflow to detect vulnerabilities and security or compliance related misconfigurations. As your teams build applications, Sysdig prevents vulnerable images from being pushed through your CI/CD pipeline (Jenkins, Bamboo, Gitlab or AWS CodePipeline) and identifies new vulnerabilities in production. Sysdig Secure is part of the Sysdig Secure DevOps Platform, which lets you confidently run cloud-native workloads in production.
AWS ECR scanning with Sysdig Secure
Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with AWS container services like ECS and EKS, simplifying your development to production workflow.
Sysdig Secure provides additional ECR scanning capabilities on top of ECR default image scanning based Clair, such as scanning for non-OS vulnerabilities (3rd party libraries), misconfigurations, and compliance checks.
The first step is to set up your ECR credentials in Sysdig Secure to give access to the registry. Once configured, Sysdig Secure pulls any image stored within the registry into the engine for analysis.
When an image is pulled into the scanning engine Sysdig Secure will provide visibility into:
- Official OS package vulnerabilities
- Unofficial package vulnerabilities
- Configuration checks (ex. exposing SSH in a Dockerfile, users running as root)
- Secrets, credentials like tokens, certificates and other sensitive data
- Known vulnerabilities & available updates
- Metadata (ex. size of an image)
- Compliance checks for frameworks like NIST 800-190, PCI etc
These artifacts are then stored and evaluated against custom scanning policies that can be specified to a particular particular registry, repository or image tag. These policies help detect vulnerabilities, misconfiguration, or compliance issues within your images and generate pass/fail results directly in the UI.
The report provides any OS/non-OS vulnerabilities discovered in detail. For each vulnerability discovered, Sysdig Secure shows the package version that it found in the image (which is affected by that vulnerability), and it also shows the version number that includes the fix for that issue. To remove the vulnerability, you’ll need to rebuild the container image to include a version of that package that has a fix available.
For example, the affected package might be in the base image itself. In this case, it is best to update the base images directly. In other cases, the package might be installed on top of the base image by a command in the Dockerfile. For example, it’s common to see package manager commands like apt or yum specified in the Dockerfile. If these specify the version of the affected package, you’ll need to edit the Dockerfile.
Now that we have discussed ECR scanning, let us talk about ECR vulnerability reporting and ECR vulnerability alerting.
AWS ECR vulnerability reporting and alerting
Application security teams often need to ensure they address any high severity CVE with a fix within 30 days.
With Sysdig Secure, you can help bring traditional patch management processes to containers. Teams can set up policies for vulnerability reporting both in ECR and/or running in a particular AWS cluster or region. You can then query for specific vulnerabilities by advanced conditions like CVE ID, severity, fix, age or any other criteria.
For example, if new CVE has been announced, you may want to report on images in ECR that are vulnerable because of it:
After scanning the images currently in ECR, the next question typically is what were the image scanning results for all the builds in the past for that service? Vulnerability management teams need reports on all the scans that have happened against a specific repo over time in ECR.
With Sysdig Secure, you can query by policy and apply a specific scope that answers that question with less than 3 clicks:
Finally, it is easy to set up vulnerability alerting for ECR. You can set alerts for your team if a new image is analyzed in ECR or a CVE gets an updated score. You can create downstream notifications via Slack, AWS SNS, etc. or create your own custom webhooks to take specific actions.
Hopefully you see how easy it is to get up and running with both AWS Elastic Container Registry and Sysdig Secure. You can also dig deeper into Sysdig’s container and Kubernetes image scanning capabilities or read more about how Sysdig extends security services across various AWS container services (EKS, ECS)
Or go to www.sysdig.com and contact us for a custom demo!