Enhancing Container Security in the CI/CD Pipeline with Amazon Inspector
- Written by:
- Hiten Vadaliya
- October 24, 2024
- AWS, CI/CD, Security
- No Comments
Continuous integration and delivery (CI/CD) pipelines are essential for speeding up development and deployment procedures in contemporary software development. However, protecting these containers from vulnerabilities has grown crucial as containerized applications proliferate. In this situation, Amazon Inspector can be quite helpful in improving security in the CI/CD pipeline, especially for images stored in the Elastic Container Registry (ECR).
Why Container Security Is Important for CI/CD Processes?
How Amazon Inspector Works in CI/CD Pipelines
Any container image sent to the ECR repository is examined for vulnerabilities prior to being utilized in production when images are scanned using Amazon Inspector. An outline of the workflow we’ll use is provided here:
- Push an image to the ECR: A scan is initiated each time a new image is pushed.
- Obtain the scan’s findings: Amazon Inspector focuses on key findings while searching for vulnerabilities.
- Conditional logic:
- If critical vulnerabilities are found, the image is deleted.
- If no issues are detected, the image is re-tagged and pushed for deployment.
A useful code sample for incorporating this reasoning into a CI/CD pipeline may be found below.
Implementing Amazon Inspector in the CI/CD Pipeline
Below is a code snippet for automating Amazon Inspector scans in a Jenkins CI/CD pipeline. This script scans an image in Amazon ECR, retrieves scan findings, and responds based on the scan results:
// Image scan inspection logic
def inspectECRImage(config) {
echo "Triggering Amazon Inspector scan for the ECR image"
// Wait for scan to complete
echo "Waiting for the image scan to complete..."
sleep(time: 60, unit: 'SECONDS')
// Retrieve scan findings
def findings = sh(script: """
export TAG=`echo ${env.BRANCH_NAME}-inspector-scan | tr /+ -`
if [ \"""" + config.TAG + """\" != "" ]; then
aws ecr describe-image-scan-findings --repository-name """ + config.IMG + """ --image-id imageTag=""" + config.TAG + """ --query 'imageScanFindings.findings[?severity==`CRITICAL`]' --output json
else
aws ecr describe-image-scan-findings --repository-name """ + config.IMG + """ --image-id imageTag=\${TAG} --query 'imageScanFindings.findings[?severity==`CRITICAL`]' --output json
fi
""", returnStdout: true).trim()
// Check for critical vulnerabilities
if (findings != "[]") {
echo "Critical vulnerabilities found in the ECR image. Deleting the image."
deletePushedImage(config)
} else {
echo "No critical vulnerabilities found. Proceeding to re-tag and push the image."
reTagAndPushImage(config)
}
}
// Function to delete the pushed image with the specified tag
def deletePushedImage(config) {
sh """
export TAG=`echo ${env.BRANCH_NAME}-inspector-scan | tr /+ -`
aws ecr batch-delete-image --repository-name ${config.IMG} --image-ids imageTag=\${TAG}
"""
echo "Image with tag '${env.BRANCH_NAME}-inspector-scan' deleted from ECR."
}
// Function to re-tag the image with the final tag and push it
def reTagAndPushImage(config) {
sh """
#!/bin/bash
# Login to ECR
docker login -u AWS -p \$(aws ecr get-login-password --region YOUR_REGION) YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com &> /dev/null
# Set the tag values
TAG=\$(echo ${env.BRANCH_NAME} | tr /+ -)
INSPECTOR_TAG=\$(echo ${env.BRANCH_NAME}-inspector-scan | tr /+ -)
# Delete the old image with the original tag, if it exists
echo "Deleting the old image with tag '\${TAG}' from ECR..."
aws ecr batch-delete-image --repository-name ${config.IMG} --image-ids imageTag=\${TAG} || echo "No existing image with tag '\${TAG}' to delete."
# Re-tag the inspector scan image back to the original tag
echo "Re-tagging image from '\${INSPECTOR_TAG}' to '\${TAG}'..."
docker tag YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/${config.IMG}:\${INSPECTOR_TAG} \
YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/${config.IMG}:\${TAG}
# Push the re-tagged image to ECR
echo "Pushing the re-tagged image with tag '\${TAG}' to ECR..."
docker push YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com/${config.IMG}:\${TAG}
# Delete the inspector scan image after re-tagging
echo "Deleting the inspector scan image with tag '\${INSPECTOR_TAG}' from ECR..."
aws ecr batch-delete-image --repository-name ${config.IMG} --image-ids imageTag=\${INSPECTOR_TAG}
"""
echo "Docker image re-tagged to '${env.BRANCH_NAME}' and inspector scan image deleted from ECR."
}
How the Code Works:
Triggering the Scan:
TheinspectECRImagefunction triggers an Amazon Inspector scan for the pushed ECR image. It waits for the scan to complete, ensuring the image has been analyzed thoroughly.Retrieving Findings:
The script queries Amazon Inspector for critical vulnerabilities in the image using theaws ecr describe-image-scan-findingscommand.Handling Vulnerabilities:
- If critical vulnerabilities are found, the
deletePushedImagefunction removes the image from the ECR repository to avoid accidental deployment. - If no vulnerabilities are detected, the
reTagAndPushImagefunction re-tags the image with the appropriate branch name and pushes it for deployment.
- If critical vulnerabilities are found, the
Conclusion:
Integrating Amazon Inspector into your CI/CD pipeline enables proactive security measures, helping identify vulnerabilities before deploying container images to production. By automating the inspection and handling of scan results, you can maintain a robust security posture and minimize the risks associated with containerized applications. Adopting Amazon Inspector into your workflows not only boosts security but also aligns with best practices in secure software delivery.
By following the code implementation and best practices shared here, you can strengthen your CI/CD pipeline with automated image security, protecting your applications from known vulnerabilities.