Scan your Docker images for vulnerabilities with ECR

Michael Wittig – 28 Jan 2020 (updated 08 Jul 2020)

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

How to monitor ECR Image Scanning

To forward findings to other systems (e.g., Slack, Microsoft Teams), you have to:

  1. Enable Scan on push for your ECR repository.
  2. Create a EventBridge (formerly known as CloudWatch Events) Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Enable Scan on push

Create a EventBridge Rule

Monitoring Setup Assistant
marbot adds monitoring rules for your AWS infrastructure.

  1. Add marbot to Slack or Microsoft Teams.
  2. Invite marbot to a channel.
  3. In the channel type:
    @marbot Monitor my ECR repositories
  4. Hit enter and follow the wizard.
  1. Visit the EventBridge Console.
  2. Navigate to Events -> Rules.
  3. Create a new rule.
    Create a CloudWatch Events Rule
  4. Select Event pattern
  5. Select Custom pattern and enter the following pattern:

    {
    "detail-type": [
    "ECR Image Scan"
    ],
    "source": [
    "aws.ecr"
    ],
    "detail": {
    "finding-severity-counts": {
    "CRITICAL": [{"exists": false}, {"numeric": [">", 0]}],
    "HIGH": [{"exists": false}, {"numeric": [">", 0]}],
    "MEDIUM": [{"exists": false}, {"numeric": [">", 0]}],
    "UNDEFINED": [{"exists": false}, {"numeric": [">", 0]}]
    }
    }
    }
  6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Michael Wittig

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building marbot.io. Author of Amazon Web Services in Action, Rapid Docker on AWS, and cloudonaut.io.

You can contact me via Email, Twitter, and LinkedIn.

Published on and updated on

marbot teaser

Chatbot for AWS Monitoring

Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.

Slack
Add to Slack
Microsoft Teams
Add to Teams