Automate AWS ECR scanning
Question:
I have tried to automate ECR image scanning using AWS CLI. But I was stuck in the scanning step. When I call aws ecr start-image-scan, it starts the scanning. But how I know the scanning is finish. My images are large and it takes few minutes. Could someone help me to figure out this. I am using Python
Answers:
You can use aws ecr wait [image-scan-complete] here. But it has some limitations.
It will poll every 5 seconds until a successful state has been reached. This will exit with a return code of 255 after 60 failed checks.
Another solution you can use Eventbridge to cache ECR Scanning complete. ecr-event-bridge
generate an event like
{
"version": "0",
"id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
"detail-type": "ECR Image Scan",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-10-29T02:36:48Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/my-repository-name"
],
"detail": {
"scan-status": "COMPLETE",
"repository-name": "my-repository-name",
"finding-severity-counts": {
"CRITICAL": 10,
"MEDIUM": 9
},
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"image-tags": []
}
}
It is simple. You have to call aws ecr wait image-scan-complete api call after you start the scanning.
This aws ecr wait image-scan-complete command will wait till the scan is completed.
def wait_scan_results(repo_name, image_Digest):
wait_scan_cmd = f"aws ecr wait image-scan-complete --repository-name {repo_name} --image-id imageDigest={image_Digest}"
wait_scan = subprocess.Popen(wait_scan_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
wait_scan.stdout.read().decode('utf-8')
Please check https://www.youtube.com/watch?v=D5Aaj2uPeeo , this shows how to automate ECR image scanning from A to Z using Python
I have tried to automate ECR image scanning using AWS CLI. But I was stuck in the scanning step. When I call aws ecr start-image-scan, it starts the scanning. But how I know the scanning is finish. My images are large and it takes few minutes. Could someone help me to figure out this. I am using Python
You can use aws ecr wait [image-scan-complete] here. But it has some limitations.
It will poll every 5 seconds until a successful state has been reached. This will exit with a return code of 255 after 60 failed checks.
Another solution you can use Eventbridge to cache ECR Scanning complete. ecr-event-bridge
generate an event like
{
"version": "0",
"id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
"detail-type": "ECR Image Scan",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-10-29T02:36:48Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/my-repository-name"
],
"detail": {
"scan-status": "COMPLETE",
"repository-name": "my-repository-name",
"finding-severity-counts": {
"CRITICAL": 10,
"MEDIUM": 9
},
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"image-tags": []
}
}
It is simple. You have to call aws ecr wait image-scan-complete api call after you start the scanning.
This aws ecr wait image-scan-complete command will wait till the scan is completed.
def wait_scan_results(repo_name, image_Digest):
wait_scan_cmd = f"aws ecr wait image-scan-complete --repository-name {repo_name} --image-id imageDigest={image_Digest}"
wait_scan = subprocess.Popen(wait_scan_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True)
wait_scan.stdout.read().decode('utf-8')
Please check https://www.youtube.com/watch?v=D5Aaj2uPeeo , this shows how to automate ECR image scanning from A to Z using Python