Scan Images on Amazon Elastic Container Registry (ECR)

Prerequisites

You will need an Intel-based Linux client system to run the RapidFort scanner (rfscan).
Your client system can be a CI/CD pipeline runner (e.g. GitLab or Jenkins) or a system with the appropriate permissions to access Amazon ECR, Amazon S3, and the RapidFort SaaS or RapidFort On-Premises Instance.
Your client system will need the following dependencies installed:

  • Python 3.x (we recommend Python 3.8 or later) and pip3
  • Docker
  • Amazon AWS Command Line Interface Tools (we recommend version 2.x)

Your client system will need access to the following:

  • Amazon Elastic Container Registry (ECR)
  • Amazon S3
  • RapidFort SaaS or RapidFort On-Premises Instance

Client System Setup

Step 1: Install Dependencies
Install dependencies on your client system:

  • Python 3.x (we recommend Python 3.8 or later) and pip3
  • Docker
  • Amazon AWS Command Line Interface Tools (we recommend version 2.x)

Step 2: Configure and Verify Amazon ECR Access

Configure your client system with access to Amazon ECR. You may need to create an IAM role and policy.
Verify that you are able to pull Docker images from Amazon ECR.

$ docker pull <registry_id>.dkr.ecr.<region>.amazonaws.com/<repository>:<tag>

For example:

$ docker pull 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:v1.0.100

If you plan to scan your registry, verify that you are able to run describe-repositories and describe-images (you may need to assume an IAM role beforehand):

$ aws ecr describe-repositories --registry-id=<registry_id>
$ aws ecr describe-images --registry-id=<registry_id> --repository=<repository>

For example:

$ aws ecr describe-repositories --registry-id=12345678910
$ aws ecr describe-images --registry-id=12345678910 --repository=frontend

Step 3: Install the RapidFort Command Line Interface (CLI) Tools

Install the RapidFort Command Line Interface (CLI) tools.
RapidFort SaaS:

$ curl https://api.rapidfort.com/cli/ | bash

RapidFort On-Premises:

$ curl https://<rapidfort_host>/cli/ | bash

After installing the RapidFort CLI tools, verify that you are able to log into RapidFort:

$ rflogin <email_address>

Scanning Images

If your images will already be available locally on your client system, then you do not need to configure rfscan to pull images from your registry.
Otherwise, if you need rfscan to pull images from your registry or if you would like to scan your registry, then please follow the instructions in the Config. file setup to set up your rfscan.yaml configuration file.

There are 2 ways to scan images.

Command-Line Parameters

Provide each image as a command-line parameter.

$ rfscan <registry>/<repository0>:<tag0> <registry>/<repository1>:<tag1> \
 <registry>/<repository2>:<tag2> ...

For example:

$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0

Text File

Create a text file that contains one image per line and provide the path to the text file as a command-line parameter.

<registry>/<repository0>:<tag0>
<registry>/<repository1>:<tag1>
<registry>/<repository2>:<tag2>
$ rfscan <path_to_image_list_file>

For example:

123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0
$ rfscan ~/image_list_file

Workload Tags
To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.

$ rfscan <images or image list file> -t <tag_name> -d <tag_description> 

For example:

$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com/frontend:1.0.100 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/backend:1.2.3 \
123456789010.dkr.ecr.us-east-1.amazonaws.com/core/utils:v1.0 \
-t jenkins_123456 -d "Jenkins #123456"
$ rfscan ~/image_list_file -t scan_20220107 -d "Scan on 2022-01-07"

Scanning Registries
If you would like to scan your registry, then follow the instructions in  to set up your rfscan.yaml configuration file.
To scan your registry, provide the registry server as a command-line parameter:

$ rfscan <registry>

For example:

$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com

Workload Tags
To tag all images that were scanned as part of the same scan job, provide a tag name and optionally a tag description as command-line parameters.

$ rfscan <registry> -t <tag_name> -d <tag_description>

For example:

$ rfscan 123456789010.dkr.ecr.us-east-1.amazonaws.com \
-t registry_scan_20220107 -d "Registry Scan 2022-01-07"

Workload tags are optional but recommended. Using workload tags enables filtering images by tag in the RapidFort Dashboard.

Scan Reports
By default, scan reports will be saved in ~/rapidfort/reports/<timestamp>. This can be overridden with the --reports_folder command-line parameter.