Scan using CLI tools
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Scanning
      3. Scan using CLI tools

      Scan Images on Amazon Elastic Container Registry (ECR)

      Prerequisites

      You will need an Intel-based Linux client system to run the RapidFort scanner (rfscan).
      Your client system can be a CI/CD pipeline runner (e.g. GitLab or Jenkins) or a system with the appropriate permissions to access Amazon ECR, Amazon S3, and the RapidFort SaaS or RapidFort On-Premises Instance.
      Your client system will need the following dependencies installed:

      • Python 3.x (we recommend Python 3.8 or later) and pip3
      • Docker
      • Amazon AWS Command Line Interface Tools (we recommend version 2.x)

      Your client system will need access to the following:

      • Amazon Elastic Container Registry (ECR)
      • Amazon S3
      • RapidFort SaaS or RapidFort On-Premises Instance

      Client System Setup

      Step 1: Install Dependencies
      Install dependencies on your client system:

      • Python 3.x (we recommend Python 3.8 or later) and pip3
      • Docker
      • Amazon AWS Command Line Interface Tools (we recommend version 2.x)

      Step 2: Configure and Verify Amazon ECR Access

      Configure your client system with access to Amazon ECR. You may need to create an IAM role and policy.
      Verify that you are able to pull Docker images from Amazon ECR.

      $ docker pull <registry_id>.dkr.ecr.<region>.amazonaws.com/<repository>:<tag>

      For example:

      $ docker pull 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:v1.0.100

      If you plan to scan your registry, verify that you are able to run describe-repositories and describe-images (you may need to assume an IAM role beforehand):

      $ aws ecr describe-repositories --registry-id=<registry_id>
      $ aws ecr describe-images --registry-id=<registry_id> --repository=<repository>

      For example:

      $ aws ecr describe-repositories --registry-id=12345678910
      $ aws ecr describe-images --registry-id=12345678910 --repository=frontend

      Step 3: Install the RapidFort Command Line Interface (CLI) Tools

      Install the RapidFort Command Line Interface (CLI) tools.
      RapidFort SaaS:

      $ curl https://api.rapidfort.com/cli/ | bash

      RapidFort On-Premises:

      $ curl https://<rapidfort_host>/cli/ | bash

      After installing the RapidFort CLI tools, verify that you are able to log into RapidFort:

      $ rflogin <email_address>

      Scanning Images

      If your images will already be available locally on your client system, then you do not need to configure rfscan to pull images from your registry.
      Otherwise, if you need rfscan to pull images from your registry or if you would like to scan your registry, then please follow the instructions in the Config. file setup to set up your rfscan.yaml configuration file.

      There are 2 ways to scan images.

      Command-Line Parameters

      Provide each image as a command-line parameter.

      $ rfscan <registry>/<repository0>:<tag0> <registry>/<repository1>:<tag1> \
       <registry>/<repository2>:<tag2> ...

      For example:

      $ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
      123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
      123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0

      Text File

      Create a text file that contains one image per line and provide the path to the text file as a command-line parameter.

      <registry>/<repository0>:<tag0>
      <registry>/<repository1>:<tag1>
      <registry>/<repository2>:<tag2>
      $ rfscan <path_to_image_list_file>

      For example:

      123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100
      123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3
      123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0
      $ rfscan ~/image_list_file

      Workload Tags
      To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.

      $ rfscan <images or image list file> -t <tag_name> -d <tag_description>

      For example:

      $ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
      123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
      123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0 \
      -t jenkins_123456 -d "Jenkins #123456"
      $ rfscan ~/image_list_file -t scan_20220107 -d "Scan on 2022-01-07"

      Scanning Registries
      If you would like to scan your registry, then follow the instructions in  to set up your rfscan.yaml configuration file.
      To scan your registry, provide the registry server as a command-line parameter:

      $ rfscan <registry>

      For example:

      $ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com

      Workload Tags
      To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.

      $ rfscan <registry> -t <tag_name> -d <tag_description>

      For example:

      $ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com \
      -t registry_scan_20220107 -d "Registry Scan 2022-01-07"

      Workload tags are optional but recommended. Using workload tags enables filtering images by tag in the RapidFort Dashboard.

      Scan Reports
      By default, scan reports will be saved in ~/rapidfort/reports/<timestamp>. This can be overridden with the --reports_folder command-line parameter.