Containers-roadmap: ECR [request]: Include summary of image scan findings in the ECR event stream

Created on 5 Nov 2019  ·  8Comments  ·  Source: aws/containers-roadmap

Tell us about your request
Add a summary of the image scan finding to the ECR event stream. Currently, the event stream only shows when a scan has been completed.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Trying to identify the images I've deployed that have developed vulnerabilities over time.

Are you currently working around this issue?
I have to query the ECR API.

ECR Proposed
Source
picture jicowan
👍14

Most helpful comment

This is complete, the ECR Image Scan event now contains a count of the vulnerability severities found in a finding-severity-counts object in the detail portion of the event JSON. For example: "finding-severity-counts": { "CRITICAL": 10, "MEDIUM”: 9 } See the full event schema here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html

picture omieomye on 14 Jan 2020
🎉3

All 8 comments

This would definitely be a welcome addition to save us having to retrieve the findings just to get the counts.

pzbiegiel picture pzbiegiel on 26 Nov 2019

I would add that the scan result is _the_ information.

michaelwittig picture michaelwittig on 16 Dec 2019

This is complete, the ECR Image Scan event now contains a count of the vulnerability severities found in a finding-severity-counts object in the detail portion of the event JSON. For example: "finding-severity-counts": { "CRITICAL": 10, "MEDIUM”: 9 } See the full event schema here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html

omieomye picture omieomye on 14 Jan 2020
🎉3

@omieomye Are the severities documented? I can not find them in the ECR docs.
... I found something: INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL | UNDEFINED ( https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageScanFinding.html )

How would you filter all the CRITICAL and HIGH events?

According to the CloudWatch Events doc: "For a pattern to match an event, the event must contain all the field names listed in the pattern. The field names must appear in the event with the same nesting structure."

Let's assume the following event pattern to get all scans with CRITICAL findings:

source:
  - 'aws.ecr'
'detail-type':
  - 'ECR Image Scan'
detail:
  'finding-severity-counts':
    CRITICAL:
      - '*'

To get both CRITICAL and HIGH findings, you might would write something like this:

source:
  - 'aws.ecr'
'detail-type':
  - 'ECR Image Scan'
detail:
  'finding-severity-counts':
    CRITICAL:
      - '*'
    HIGH:
      - '*'

Turns out that this only works if the scan produces CRITICAL and HIGH findings. There is no or.

Now you might argue I could use two events. If a scan result now has HIGH AND CRITICAL findings I will get two events.

Question: Why not populate all severities and set the ones that are "missing" to zero?

Edit: I'm not sure if the ['*'] works as I hope it does...

michaelwittig picture michaelwittig on 14 Jan 2020

My use case is to be able to send out an Email notification only if finding-severity-counts shows something of interest (for example, CRITICAL, HIGH, or MEDIUM) and not send emails on every single scan (at work we have hundreds of repos with new images being pushed daily to those repos)

My approach was to create a CloudWatch event on ECR Image Scan, and a SNS topic 'ecr-scans' as the target. Then configure the SNS topic to have one subscriber of the type Email.

Unfortunately and according to the docs, event pattern syntax does not allow wildcards, so I don't have an easy way to send the email only when something "relevant" was detected by the scan.

I'm trying to avoid having to purposely create a Lambda to do the filtering and emailing.

Any suggestions?

donhector picture donhector on 24 Jan 2020

thanks to https://aws.amazon.com/blogs/compute/reducing-custom-code-by-using-advanced-rules-in-amazon-eventbridge/ we can now filter:

{
  "detail-type": [
    "ECR Image Scan"
  ],
  "source": [
    "aws.ecr"
  ],
  "detail": {
    "finding-severity-counts": {
      "HIGH": [
        {
          "exists": false
        },
        {
          "numeric": [
            ">",
            0
          ]
        }
      ],
      "MEDIUM": [
        {
          "exists": false
        },
        {
          "numeric": [
            ">",
            0
          ]
        }
      ],
      "UNDEFINED": [
        {
          "exists": false
        },
        {
          "numeric": [
            ">",
            0
          ]
        }
      ],
      "CRITICAL": [
        {
          "exists": false
        },
        {
          "numeric": [
            ">",
            0
          ]
        }
      ]
    }
  }
}
michaelwittig picture michaelwittig on 5 Feb 2020
1

thanks to https://aws.amazon.com/blogs/compute/reducing-custom-code-by-using-advanced-rules-in-amazon-eventbridge/ we can now filter:

this only works if you manually create the Rule in event bridge.
If you create the Rule using cloudformation or through CDK, you will get a 'Event pattern is not valid.' message.

this is a simple example:

```
const pattern = {
"source": [ "aws.ecr" ],
"detail-type": [ "ECR Image Scan" ],
"detail": {
"scan-status": [ "COMPLETE" ],
"finding-severity-counts": { "MEDIUM": [ { "numeric": [ ">", 0 ] } ]}
}
};
const rule = new Rule(scope, "newRule");
rule.addEventPattern(pattern);

````

pashasensi picture pashasensi on 13 Feb 2020

@pashasensi Yes this is not working while creating using Cloudformation. What is the way to do it in Cloudformation template for Eventbridge.

Nishintra picture Nishintra on 15 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

talawahtech picture talawahtech  ·  3Comments
groodt picture groodt  ·  3Comments
sarath9985 picture sarath9985  ·  3Comments
MartinDevillers picture MartinDevillers  ·  3Comments
yinshiua picture yinshiua  ·  3Comments