Versions Compared

Old Version 21

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version Current

changes.mady.by.user Ray O'Meara

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

These methods are described as follows:

...

To scan container images locally that are stored in ECR, follow these steps:

  1. Authenticate with ECR. ECR uses authentication tokens that expire after 12 hours. The ecr get-login command generates a docker login command with authentication credentials.

    Code Block
    titleGenerate Docker Login for ECR (Linux)
    aws ecr get-login --region region --no-include-email | sh


  2. Invoke Synopsys Detect, and configure at least the following Detect Properties/wiki/spaces/INTDOCS/pages/622673.

    Code Block
    titleSynopsys Detect - Scanning Images
    bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=<URL> \
--blackduck.api.token=<token> \
--detect.docker.image=<Image URI> \
--detect.project.name=<Project Name>


  3. On scan completion, navigate to the project version in Black Duck to view the scan results.
    Image Modified 

Using the CodePipeline Custom Action

  1. Before you can scan images in ECR using a CodePipeline Custom Action, ensure that you add your Black Duck credentials to the AWS Parameter Store.
  2. Follow the instructions for the AWS CodePipeline Custom Action
  3. Create the Pipeline by using ECR as the Source, and configure the following information in the Black Duck Custom Action step:
    • Input Artifact: Source Artifact.
    • Black Duck Project Name: Name the Project (using the ECR image name is a good idea).
    • ECR Region Name: The Region where the image is that you want to scan is.
    • Image Name: The full URI of the image. Usually in the format: <account_id>.dkr.ecr.<region>.amazonaws.com/<image_name>:<image_tag>.
    • S3 Bucket Name: S3 Bucket that is the scan results publish location.
    • S3 Bucket Region: Region of the S3 Bucket where the scan results are published.




Info

Tip: Using the latest tag when specifying the image name allows triggering a re-scan when a new version of the image is pushed to the registry. To use this, ensure that an image with the latest tag exists in your registry.

...