- This binary shows the ecr image scan findings in a human readable format.
- ECR Scan will be auto triggered post retry-timout if
scan_on_push
orcontinuous_scan
is disabled in ecr repo. - This binary can be integrated with CI pipelines where post docker image creation, scanning can be done to see vulnerabilities.
- ECR Scan is enabled in your AWS Account
- Go to github releases https://github.com/sam0392in/aws-ecr-image-scanner/releases
- Download the binary from latest release.
OR
wget https://github.com/sam0392in/aws-ecr-image-scanner/releases/download/<LATEST TAG>/aws-ecr-image-scanner-darwin && \
chmod 755 aws-ecr-image-scanner-darwin && \
mv aws-ecr-image-scanner-darwin /usr/local/bin/aws-ecr-image-scanner
wget https://github.com/sam0392in/aws-ecr-image-scanner/releases/download/<LATEST TAG>/aws-ecr-image-scanner-linux && \
chmod 755 aws-ecr-image-scanner-linux && \
mv aws-ecr-image-scanner-linux /usr/local/bin/aws-ecr-image-scanner
aws-ecr-image-scanner scan --repo < ECR REPOSITORY NAME > --tag < IMAGE TAG > --severity < SEVERITY >
aws-ecr-image-scanner scan --repo sample-test --tag latest --severity critical,high,medium
--help: Show context-sensitive help.
--repo: Repository Name
--tag: Image Tag
--severity: comma separated multiple choice, options: critical/high/medium/low/informational/all
--max-retry: [OPTIONAL] [DEFAULT: 5] Define max retry attempts to get ecr scan status, Used for increasing delay timeout. 1 retry =~ 5 seconds. first retry starts from 2
STATUS: waiting to get scan status...
STATUS: ECR Image Scan Completed ..!!!
│────────────────│──────────│────────────────────────────────────────────────────────│──────────────│──────────────────│
│ NAME │ SEVERITY │ DESCRIPTION │ PACKAGE NAME │ PACKAGE VERSION │
│────────────────│──────────│────────────────────────────────────────────────────────│──────────────│──────────────────│
│ CVE-2021-33910 │ HIGH │ basic/unit-name.c in systemd prior to 246.15, 247.8, │ systemd │ 245.4-4ubuntu3.2 │
│ │ │ 248.5, and 249.1 has a Memory Allocation with an │ │ │
│ │ │ Excessive Size Value (involving strdupa and alloca for │ │ │
│ │ │ a pathname controlled by a local attacker) that │ │ │
│ │ │ results in an operating system crash. │ │ │
│────────────────│──────────│────────────────────────────────────────────────────────│──────────────│──────────────────│
STATUS: waiting to get scan status...
ERROR: ResourceNotReady: exceeded wait attempts
specify --max-retry
in command and specify the value > 5
STATUS: waiting to get scan status...
ERROR: ResourceNotReady: exceeded wait attempts
ERROR: ImageNotFoundException: The image with imageId {imageDigest:'null', imageTag:'1.1'} does not exist within the repository with name 'sample-test' in the registry with id '12143546'
Enter correct Image Tag or Repo name