services.x-ecr ¶

          services:
  serviceA:
    image: 012345678912.dkr.region.amazonaws.com/repo:tag
    x-ecr:
      InterpolateWithDigest: bool
      VulnerabilitiesScan:
        IgnoreFailure: bool
        TreatFailedAs: str
        Thresholds:
          CRITICAL: number
          HIGH: number
          MEDIUM: number
          LOW: number
        RoleArn: str

         

InterpolateWithDigest ¶

When the image comes from ECR, we can very easily identify the image digest (sha256) for it and use that instead of a tag. However not as human user friendly, this allows to always point to the same image regardless of tags change.

Type	Boolean
Default	False
Required	False

VulnerabilitiesScan ¶

Most companies running applications in AWS use the power of AWS ECR to store their docker images, and most use the free scan feature to detect security vulnerabilities by scanning the content of the images and match it against CVE databases.

To validate that the images that we are about to use, ECS Compose-X uses ECR Scan Reporter as a library to perform some images securities evaluations.

Type	Object
Default	None
Required	False

IgnoreFailure ¶

Boolean to indicate that, although you wanted the scan to be evaluated, it won’t stop compose-x execution.

Type	Boolean
Default	True
Required	False

TreatFailedAs ¶

When the scan status is FAILED (unsupported image for example), allow do define whether that is fine or not.

Type	Boolean
Default	Failure
Required	False
Allowed Values	Success Failure

Thresholds ¶

Allows you to define the level for evaluation that you wish to have for stopping the execution.

Type	Object
Default	CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 0
Required	False
Allowed Attributes	CRITICAL HIGH MEDIUM LOW

RoleArn ¶

Warning

use with caution

This allows you to give a specific IAM role for probing ECR if the repository is shared across accounts.

Examples ¶

           services:
  grafana:
    x-ecr:
      InterpolateWithDigest: true
      VulnerabilitiesScan:
        IgnoreFailure: false
        Thresholds:
          CRITICAL: 0
          HIGH: 5
          MEDIUM: 10
          LOW: 10

          

Requirements ¶

It uses ECR Scan Reporter as a library to communicate with AWS ECR and trigger actions. If ECR Scan Reporter is not installed, this is ignored all together, but won’t fail ECS Compose-X execution.

JSON Schema ¶

Model ¶

services.x-ecr specification ¶

services.x-ecr
The services.x-ecr specification for ComposeX
type	object
properties
VulnerabilitiesScan	#/definitions/ScanDef
RoleArn	A role ARN to use for assume role for subsequent API calls to ECR
	type	string
InterpolateWithDigest	When true, replaces the image tag with the image digest
	type	boolean
additionalProperties	False
definitions
ScanDef	type	object
	properties
	IgnoreFailure	Whether or not the execution should fail if the scan is unsuccessful
		type	boolean
		default	False
	TreatFailedAs	For images where scan was failed, ignore failure?
		type	string
		enum	Success, Failure
	Thresholds	type	object
		properties
		CRITICAL	#/definitions/ThresholdDef
		HIGH	#/definitions/ThresholdDef
		MEDIUM	#/definitions/ThresholdDef
		LOW	#/definitions/ThresholdDef
	RoleArn	A role ARN to use for assume role for subsequent API calls to ECR
		type	string
ThresholdDef	type	number
	minimum	0

Definition ¶

            {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "id": "services.x-ecr",
  "$id": "services.x-ecr.spec.json",
  "type": "object",
  "title": "services.x-ecr specification",
  "description": "The services.x-ecr specification for ComposeX",
  "additionalProperties": false,
  "properties": {
    "VulnerabilitiesScan": {
      "$ref": "#/definitions/ScanDef"
    },
    "RoleArn": {
      "type": "string",
      "description": "A role ARN to use for assume role for subsequent API calls to ECR"
    },
    "InterpolateWithDigest": {
      "type": "boolean",
      "description": "When true, replaces the image tag with the image digest"
    }
  },
  "definitions": {
    "ScanDef": {
      "type": "object",
      "properties": {
        "IgnoreFailure": {
          "type": "boolean",
          "description": "Whether or not the execution should fail if the scan is unsuccessful",
          "default": false
        },
        "TreatFailedAs": {
          "type": "string",
          "enum": [
            "Success",
            "Failure"
          ],
          "description": "For images where scan was failed, ignore failure?"
        },
        "Thresholds": {
          "type": "object",
          "properties": {
            "CRITICAL": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "HIGH": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "MEDIUM": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "LOW": {
              "$ref": "#/definitions/ThresholdDef"
            }
          }
        },
        "RoleArn": {
          "type": "string",
          "description": "A role ARN to use for assume role for subsequent API calls to ECR"
        }
      }
    },
    "ThresholdDef": {
      "type": "number",
      "minimum": 0
    }
  }
}

           