When I created an ECR scan from a CDK, I could see the back side of the scan

at first

I have never used the ECR scan function, so I made it with CDK.

How to make

As shown below, you can use the automatic scan function just by adding image_scan_on_push to the argument of Repository. CDK convenient

from aws_cdk import (
    aws_ecr as ecr,
    core,
)

repository = ecr.Repository(self, "Repo",
    image_scan_on_push=True
)

After executing the above, ECR and ECRImageScanOnPush are completed.

$ cdk diff repo
...
Resources
[+] AWS::ECR::Repository Repo Repo02AC86CF 
[+] Custom::ECRImageScanOnPush Repo/ImageScanOnPush/Resource RepoImageScanOnPush94CFD98F 
[+] AWS::IAM::Role AWS679f53fac002430cb0da5b7982bd2287/ServiceRole AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 
[+] AWS::IAM::Policy AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/DefaultPolicy AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E 
[+] AWS::Lambda::Function AWS679f53fac002430cb0da5b7982bd2287 AWS679f53fac002430cb0da5b7982bd22872D164C4C 
...

When I checked from the CLI whether it was actually made, I was able to confirm that it was certainly made. It also included image scan settings

$ aws --region us-east-1 ecr describe-repositories | jq .
{
  "repositories": [
    {
      "repositoryArn": "arn:aws:ecr:us-east-1:000000000000:repository/repo-repo0-ny7qkwdk6aru",
      "registryId": "000000000000",
      "repositoryName": "repo-repo0-ny7qkwdk6aru",
      "repositoryUri": "000000000000.dkr.ecr.us-east-1.amazonaws.com/repo-repo0-ny7qkwdk6aru",
      "createdAt": 1589559800,
      "imageTagMutability": "MUTABLE",
      "imageScanningConfiguration": {
        "scanOnPush": true
      }
    }
  ]
}

Digression

I've completed what I want to do above, but when I created the resource, something other than ECR was created as shown below. Let's check if this is also done

[+] AWS::IAM::Role AWS679f53fac002430cb0da5b7982bd2287/ServiceRole AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2 
[+] AWS::IAM::Policy AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/DefaultPolicy AWS679f53fac002430cb0da5b7982bd2287ServiceRoleDefaultPolicyD28E1A5E 
[+] AWS::Lambda::Function AWS679f53fac002430cb0da5b7982bd2287 AWS679f53fac002430cb0da5b7982bd22872D164C4C

First of all, Lambda, but there was no resource written as AWS

$ aws --region us-east-1 lambda list-functions | jq .Functions[].FunctionName | grep AWS
$

Next is IAM Role, but this is also not available So I couldn't find the IAM Policy associated with it

$ aws --region us-east-1 iam list-roles | jq .Roles[].RoleName | grep AWS679f53fac002430cb0da5b7982bd2287
$

In other words, I think that there are resources on the AWS side rather than resources that can be set and confirmed on the user side. I think it will probably be Lambda and its IAM Role when scanning ECR. I think it will be fixed soon, but I felt a little familiar with the inside of AWS.

reference

-Image Scan --Amazon ECR -[Super long-awaited update] Vulnerability scanning function for ECR has been provided | Developers.IO

Recommended Posts

When I created an ECR scan from a CDK, I could see the back side of the scan
I made a Line bot that guesses the gender and age of a person from an image
Extension of Python by C or C ++ (when there are multiple arguments, when passing a list from the Python side)
I made a function to see the movement of a two-dimensional array (Python)
I created a Slack bot that confirms and notifies AWS Lambda of the expiration date of an SSL certificate
What are the characteristics of an AV actress? I guessed from the title of the work! (^ _ ^) / ~~
In the Chainer tutorial, I get an error when importing a package. (mock)
I made an appdo command to execute a command in the context of the app
I want to see a list of WebDAV files in the Requests module
[Discode Bot] I created a bot that tells me the race value of Pokemon
I made a tool to automatically back up the metadata of the Salesforce organization
A story about an engineer who came only on the server side created a portfolio