Scanning images in Amazon Elastic Container Registry (ECR)

Table of Contents

Introduction

Black Duck supports scanning images stored in the Amazon Elastic Container Registry (ECR).  Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.

There are two ways to scan container images in ECR:

These methods are described as follows:

Using Synopsys Detect on a local workstation

Before you can scan images in ECR using Synopsys Detect, ensure that the following requirements are met:

To scan container images locally that are stored in ECR, follow these steps:

  1. Authenticate with ECR. ECR uses authentication tokens that expire after 12 hours. The ecr get-login command generates a docker login command with authentication credentials.

    Generate Docker Login for ECR (Linux)
    aws ecr get-login --region region --no-include-email | sh
  2. Invoke Synopsys Detect, and configure at least the following:

    Synopsys Detect - Scanning Images
    bash <(curl -s https://detect.synopsys.com/detect.sh) \
    --blackduck.url=<URL> \
    --blackduck.api.token=<token> \
    --detect.docker.image=<Image URI> \
    --detect.project.name=<Project Name>
  3. On scan completion, navigate to the project version in Black Duck to view the scan results.
     

Using the CodePipeline Custom Action

  1. Before you can scan images in ECR using a CodePipeline Custom Action, ensure that you add your Black Duck credentials to the AWS Parameter Store.
  2. Follow the instructions for the AWS CodePipeline Custom Action
  3. Create the Pipeline by using ECR as the Source, and configure the following information in the Black Duck Custom Action step:
    • Input Artifact: Source Artifact.
    • Black Duck Project Name: Name the Project (using the ECR image name is a good idea).
    • ECR Region Name: The Region where the image is that you want to scan.
    • Image Name: The full URI of the image. Usually in the format: <account_id>.dkr.ecr.<region>.amazonaws.com/<image_name>:<image_tag>.
    • S3 Bucket Name: S3 Bucket that is the scan results publish location.
    • S3 Bucket Region: Region of the S3 Bucket where the scan results are published.




Tip: Using the latest tag when specifying the image name allows triggering a re-scan when a new version of the image is pushed to the registry. To use this, ensure that an image with the latest tag exists in your registry.


















©2020 Synopsys, Inc. All Rights Reserved