feat(ecr): real image scanning via optional Trivy CLI#771
Merged
vieiralucas merged 2 commits intomainfrom Apr 26, 2026
Merged
Conversation
ECR's StartImageScan now reconstructs the pushed layers as a docker-format tar and shells out to Trivy when the binary is available. DescribeImageScanFindings exposes the parsed CVE output (severities, CVE IDs, package versions, fix info, primary URL). When Trivy is not installed, scans complete with an empty findings list so client plumbing keeps working without pulling in another binary dependency. FAKECLOUD_TRIVY_BIN overrides the binary path for CI installs. Drops the legacy `isSynthetic` marker from the response — it was a fakecloud-only field that AWS's surface doesn't include and it became misleading once real Trivy results can land here. - New crates/fakecloud-ecr/src/scanner.rs: detection, tar build, trivy invocation, Trivy JSON parser - StartImageScan now spawns the scan in the background, returning IN_PROGRESS immediately; results land async when Trivy finishes - Severity mapping: Trivy CRITICAL/HIGH/MEDIUM/LOW -> ECR same; anything else -> UNDEFINED - Unit tests cover parser + severity mapping + env override - E2E test asserts scan transitions IN_PROGRESS -> COMPLETE - Docs updated to call out the Trivy-or-fallback behavior
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
4 issues found across 8 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="crates/fakecloud-e2e/tests/ecr_scan_synthetic_flag.rs">
<violation number="1" location="crates/fakecloud-e2e/tests/ecr_scan_synthetic_flag.rs:83">
P3: Use an absence check here; `is_null()` can’t distinguish a missing field from an explicit `null`, so this test would still pass if `isSynthetic` were returned as `null`.</violation>
</file>
<file name="crates/fakecloud-ecr/src/scanner.rs">
<violation number="1" location="crates/fakecloud-ecr/src/scanner.rs:106">
P2: Do not swallow base64 decode errors when rebuilding layers; return an error so the scan can fail/fallback explicitly instead of scanning empty layers.</violation>
</file>
<file name="crates/fakecloud-ecr/src/service.rs">
<violation number="1" location="crates/fakecloud-ecr/src/service.rs:1946">
P1: `StartImageScan` scans all repository layers instead of only the target image’s layers, so findings can be contaminated by other images in the repo.</violation>
<violation number="2" location="crates/fakecloud-ecr/src/service.rs:1971">
P1: Background scan completion updates `scan_findings` without triggering snapshot persistence, so completed results can be lost and restored as permanently `IN_PROGRESS` after restart.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Filter scan to layers actually referenced by the target image's manifest, so other images in the repo don't contaminate findings - Persist snapshot after background scan completes, so restarts don't resurrect a permanently IN_PROGRESS state - Surface base64 decode errors when rebuilding the image tar instead of silently scanning empty bytes - Use object-key absence (not is_null) when asserting isSynthetic was removed from DescribeImageScanFindings
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ECR's StartImageScan now performs a real vulnerability scan when the optional Trivy CLI is available. Layers are reconstructed as a docker-format tar, fed to `trivy image --input --format json`, and the parsed CVE output is exposed via DescribeImageScanFindings (severities, CVE IDs, package versions, fix info, primary URL). When Trivy isn't installed, scans complete with an empty findings list so client plumbing keeps working without forcing the dep.
Test plan
Summary by cubic
ECR image scans now run real vulnerability analysis using the optional Trivy CLI and return parsed CVE findings via DescribeImageScanFindings. Scans run in the background; if Trivy isn’t available, they complete with empty findings so clients still work.
New Features
trivy image --input <tar> --format json(scans only layers referenced by the image’s manifest).FAKECLOUD_TRIVY_BINoverrides the Trivy binary path; persists results to the snapshot; addedcrates/fakecloud-ecr/src/scanner.rs; unit + e2e tests; docs updated. On tar/decode or Trivy errors, we log and fall back to a synthetic empty result.Migration
isSyntheticfield from DescribeImageScanFindings; drop any checks for it.FAKECLOUD_TRIVY_BIN); otherwise you’ll receive a valid response with empty findings.Written for commit 8b94e4a. Summary will update on new commits.