services.x-ecr

Syntax Reference

services:
  serviceA:
    image: 012345678912.dkr.region.amazonaws.com/repo:tag
    x-ecr:
      InterpolateWithDigest: bool
      VulnerabilitiesScan:
        IgnoreFailure: bool
        TreatFailedAs: str
        Thresholds:
          CRITICAL: number
          HIGH: number
          MEDIUM: number
          LOW: number
        RoleArn: str

InterpolateWithDigest

When the image comes from ECR, we can very easily identify the image digest (sha256) for it and use that instead of a tag. However not as human user friendly, this allows to always point to the same image regardless of tags change.

Type

Boolean

Default

False

Required

False

VulnerabilitiesScan

Most companies running applications in AWS use the power of AWS ECR to store their docker images, and most use the free scan feature to detect security vulnerabilities by scanning the content of the images and match it against CVE databases.

To validate that the images that we are about to use, ECS Compose-X uses ECR Scan Reporter as a library to perform some images securities evaluations.

Type

Object

Default

None

Required

False

IgnoreFailure

Boolean to indicate that, although you wanted the scan to be evaluated, it won’t stop compose-x execution.

Type

Boolean

Default

True

Required

False

TreatFailedAs

When the scan status is FAILED (unsupported image for example), allow do define whether that is fine or not.

Type

Boolean

Default

Failure

Required

False

Allowed Values

  • Success

  • Failure

Thresholds

Allows you to define the level for evaluation that you wish to have for stopping the execution.

Type

Object

Default

CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 0

Required

False

Allowed Attributes

  • CRITICAL

  • HIGH

  • MEDIUM

  • LOW

RoleArn

Warning

use with caution

This allows you to give a specific IAM role for probing ECR if the repository is shared across accounts.

Examples

services:
  grafana:
    x-ecr:
      InterpolateWithDigest: true
      VulnerabilitiesScan:
        IgnoreFailure: false
        Thresholds:
          CRITICAL: 0
          HIGH: 5
          MEDIUM: 10
          LOW: 10