Table of Contents
...
- Using Synopsys Detect on a local workstation.
- Using an AWS CodePipeline Custom Action.
These methods are described as follows:
...
- One or more container images stored in ECR. (For more information about publishing and storing images in ECR, refer to the container registry topic about pushing and pulling images.)
- AWS CLI is installed.
- Docker is installed.
To scan container images locally that are stored in ECR, follow these steps:
Authenticate with ECR. ECR uses authentication tokens that expire after 12 hours. The ecr get-login command generates a docker login command with authentication credentials.
Code Block title Generate Docker Login for ECR (Linux) aws ecr get-login --region region --no-include-email | sh
Invoke Synopsys Detect, and configure at least the following Detect Properties/wiki/spaces/INTDOCS/pages/622673.
Code Block title Synopsys Detect - Scanning Images bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=<URL> \ --blackduck.api.token=<token> \ --detect.docker.image=<Image URI> \ --detect.project.name=<Project Name>
- On scan completion, navigate to the project version in Black Duck to view the scan results.
Using the CodePipeline Custom Action
- Before you can scan images in ECR using a CodePipeline Custom Action, ensure that you add your Black Duck credentials to the AWS Parameter Store.
- Follow the instructions for the AWS CodePipeline Custom Action.
- Create the Pipeline by using ECR as the Source, and configure the following information in the Black Duck Custom Action step:
- Input Artifact: Source Artifact.
- Black Duck Project Name: Name the Project (using the ECR image name is a good idea).
- ECR Region Name: The Region where the image is that you want to scan is.
- Image Name: The full URI of the image. Usually in the format: <account_id>.dkr.ecr.<region>.amazonaws.com/<image_name>:<image_tag>.
- S3 Bucket Name: S3 Bucket that is the scan results publish location.
- S3 Bucket Region: Region of the S3 Bucket where the scan results are published.
Info |
---|
Tip: Using the latest tag when specifying the image name allows triggering a re-scan when a new version of the image is pushed to the registry. To use this, ensure that an image with the latest tag exists in your registry. |
...