This script returns ECR scan results for known vulnerabilities, and posts them to Slack via a webhook.
Information about ECR scan on image push is available at https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
The script takes arguments for image tag to return results for, the Slack webhook to use for posting results and whether to post to slack.
If omitted, the image tag will default to latest
, and the webhook will default to the system environment variable $SLACK_WEBHOOK
.
The script will return the first 5 results, in order of most severe first, for each image. More results can be returned using the result_limit argument when running the script.
pip install -r requirements.txt
The script uses your IAM user credentials to assume the appropriate role.
You can provide the script credentials using aws-vault
aws-vault exec identity -- python aws_ecr_scan_results.py \
--iam_role_name operator \
--ecr_aws_account_id 311462405659 \
--search online-lpa
to configure other options, use the additional arguments
aws-vault exec identity -- python aws_ecr_scan_results.py \
--iam_role_name operator \
--ecr_aws_account_id 311462405659
--search use_an_lpa \
--tag latest \
--webhook "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX" \
--post_to_slack True \
--result_limit 10