ecranner 0.0.2

Scan the vulnerability of Docker images stored in ECR

ECRanner

This is that scan the vulnerability of Docker images stored in ECR.

Table of contents

• Feature
• Get Started
  • Install Prerequirements
  • Install ECRanner
  • Write ecranner.yml
  • Execute
• Configuration Parameter
• Command options

Feature

• Pull Docker Image From ECR
• Support multi account
• Vulnerability Scan
  • Trivy detects software (OS package and application library) vulnerabilities in Docker Image
• Slack Integration

  • Push vulnerability information to Slack. Slack UI is as following:

    

Get Started

Install Prerequirements

• Trivy
• Git (Used with Trivy)

Install ECRanner

pip install ecranner

Write ecranner.yml

A ecranner.yml looks like this:

aws:
  stg:
    account_id: xxxxxxxxx
    region: us-east-1
    aws_access_key_id: xxxxxxxxx
    aws_secret_access_key: xxxxxxxxx
    images:
      - image:latest
      - image:1.0-dev
  prod:
    account_id: xxxxxxxxx
    region: us-east-1
    aws_access_key_id: xxxxxxxxx
    aws_secret_access_key: xxxxxxxxx
    images:
      - image:1.4
      - image:5.3

trivy:
  path: ~/user/.local/bin/trivy
  options: --severity CRITICAL -q

Execute

ecranner

You execute the above and then output the scan result to the console as follows:

[ { 'Target': 'image_name:latest'
              '(alpine 3.10.1)',
    'Vulnerabilities': [ { 'Description': 'aa_read_header in '
                                          'libavformat/aadec.c in FFmpeg '
                                          'before 3.2.14 and 4.x before 4.1.4 '
                                          'does not check for sscanf failure '
                                          'and consequently allows use of '
                                          'uninitialized variables.',
                           'FixedVersion': '4.1.4-r0',
                           'InstalledVersion': '4.1.3-r1',
                           'PkgName': 'ffmpeg',
                           'References': [ 'https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4',
                                           'https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b',
                                           'https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40',
                                           'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730',
                                           'http://www.securityfocus.com/bid/109317',
                                           'https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2'],
                           'Severity': 'HIGH',
                           'Title': '',
                           'VulnerabilityID': 'CVE-2019-12730'}

Configuration Parameter

Specify to use parameter in ecranner.yml.

• v1.0

Command options

option	required	default	description
-f, --file	false	./ecranner.yml	Filepath to configuration in YAML. Specify this option if you change configuration filename.
--env-file	false	./.env	Specify .env file path. Automatically load .env file if this file is found in current directory.
--slack	false	N/A	Send the scan result to Slack. If you use this option, set incoming webhooks url as system environment variable like this: export SLACK_WEBHOOK=https://xxxxxxxxxx
--rm	false	N/A	Remove images after scan with Trivy.
-q, --quiet	false	N/A	Suppress logging message.
--no-cache	false	N/A	Implement in the future, so you can not use this option Disable to store cache. This command does not use cache, but Trivy command use cache.
-h, --help	false	N/A	Show command option usage.