Member-only story
Automated Image Scanning with AWS CodePipeline & ECR
In this post, I am going to explain how we can scan docker images for vulnerabilities from a CI/CD pipeline. I use AWS CodePipeline to scan Docker images stored in AWS ECR.
Note that I use AWS CDK for creating all the resources and you can clone the complete project from this link.
Steps
- Setup the code repository
- Create an ECR repository
- Setup AWS CodePipeline with an image scanning stage
- Testing
Setup the Code Repository
In this example, I use AWS CodeCommit to host my source code. This source code contains a simple containerized nodejs application.
Creating a repository using AWS CDK
Code structure in CodeCommit
Create an ECR Repository
I use Amazon ECR as the docker image repository. Amazon ECR comes with two built-in scanning options such as “Basic” and “Enhanced” scanning.
The Basic scanning support “manual scans” and “scan on push” of images in the registry.The Enhanced scanning with Amazon Inspector provides automated continuous scanning.
In this example, I use the Basic scanning with “scan on push” option. This helps to scan images automatically when we push them to the registry. As shown in the below code, it creates a repository with “imageScanOnPush enabled.
