July 10th, 2020
Currently Elastic Container Registry (ECR) offers container image scanning for the major Linux distributions and the packages from their package repositories, for free of charge. Such offering is great, but know its current limitations:
Only major Linux distros supported i.e., Amazon Linux, Amazon Linux 2, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL. At the moment if you're using docker scratch or busybox, no ECR scans are available for you and any scan attempts will UnsupportedImageError as a response.
Only operating system packages for the these Linux distros are targeted by the scans. Any application libraries (e.g., Node and Python modules, Java jars) are also not targeted.
One can enable "scan on push" to trigger scans upon image push event. However, that's the only time the container image is scanned automatically. As new vulnerabilities are discovered daily, your images needs to be scanned periodically. It's higly likely that freshy baked container image is free from critical vulnerabilities, but not so anymore after a few months.
There's no dashboard to easily visualize the vulnerabilities from your container images. One can build pipelines with CloudWatch events to alert whenever scans complete with alerts, which quickly becomes source of too many alerts and leads to alert fatigue.
There's a great project and blog post AWS ECR Vulnerabilities Notifier how to create alerting pipelines resolving the issues related to periodic scans and getting notified about new vulnerabilities. I also strongly believe, that the integration with other security tooling will become better by time. However, especially the lack of orgnization wide visibility to vulnerability findings is critical for any security automation and actions to prevent malicious actors from exploiting these.
Due to these reasons, I ended up creating a set of own tooling to bridge the current gaps. While still not able to scan than Linux images and operating system packages, the solution can serve as a low-cost, first stage of implementation for workflows on top AWS. Rather than integrating third-party tooling with your cloud infrastructure, the solution relies only on standard AWS APIs and accounts in your AWS Organization with AWS IAM role based access.
The code for the web dashboard as well as for the lambdas and Terraform to provision those is available on GitHub.