Overview
A Construct for AWS CDK, which uses Dockle to perform security diagnostics on container images, is published on Construct Hub.
Dockle
Dockle is a container image vulnerability inspection and diagnostic tool that warns and suggests remedies for vulnerabilities in an image built from a Dockerfile.
Advantages for this Construct
This Construct can do the following
- Scan container images with Dockle in the CDK layer (in
cdk deploy
). - Avoid unnecessary builds and use assets from images built in CDK deploy.
- Stop application image push to ECR when vulnerabilities are detected.
image-scanner-with-dockle
The Construct I created this time has been published on Construct Hub under the name "image-scanner-with-dockle".
In addition, it is necessary to publish to npm in advance for Construct Hub publication, and the page as an npm package is shown below, see this page.
And while you're at it, take a look at GitHub if you like.
How to use
Install
First, install in the CDK repository.
npm install image-scanner-with-dockle
Use Construct
new ImageScannerWithDockle
is the corresponding Construct.
this.repository = new Repository(this, "ImageRepository", {
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteImages: true,
});
const image = new DockerImageAsset(this, "DockerImage", {
directory: resolve(__dirname, "../../.."),
});
const imageScannerWithDockle = new ImageScannerWithDockle(this, "ImageScannerWithDockle", {
imageUri: image.imageUri,
repository: image.repository,
ignore: ["CIS-DI-0009"],
});
// By adding addDependency, if the vulnerabilities are detected by ImageScannerWithDockle, the following ECRDeployment will not be executed, deployment will fail.
const ecrDeployment = new ECRDeployment(this, "DeployImage", {
src: new DockerImageName(image.imageUri),
dest: new DockerImageName(`${this.repository.repositoryUri}:${props.ecrTag}`),
});
ecrDeployment.node.addDependency(imageScannerWithDockle);
Stop image push on vulnerability detection
As shown in the example above, ecrDeployment.node.addDependency(imageScannerWithDockle)
will make ECRDeployment
depends on ImageScannerWithDockle
so that ImageScannerWithDockle
is executed first. ImageScannerWithDockle
will stop pushing images to the application ECR if it detects a vulnerability.
ignore
Rules you want to ignore can be specified in the ignore
parameter. If nothing is to be ignored, the ignore
parameter can be omitted.
const imageScannerWithDockle = new ImageScannerWithDockle(this, "ImageScannerWithDockle", {
imageUri: image.imageUri,
repository: image.repository,
ignore: ["CIS-DI-0002", "CIS-DI-0003"],
});
See the page for the types of ignore rules.
SingletonFunction
This construct uses a custom resource Lambda in AWS CDK.
You will create (call) ImageScannerWithDockle
many times when building multiple images in one stack, and it would be a waste to generate several Lambda functions with the same code each time.
Here, this Construct uses a Construct called SingletonFunction to generate and use only one Lambda so that the same Lambda can be used inside the AWS CDK no matter how many times it is called.
An example of actual use, in source code, is here.
Trivy version
I used Dockle
for this project, but I have also published a library that uses Trivy, if you would like to use it!
Finally
I made this because there was a case where I wanted to perform image scanning by Dockle in an environment that fully utilizes AWS CDK.
Top comments (0)