services.x-ecr ¶
services:
serviceA:
image: 012345678912.dkr.region.amazonaws.com/repo:tag
x-ecr:
InterpolateWithDigest: bool
VulnerabilitiesScan:
IgnoreFailure: bool
TreatFailedAs: str
Thresholds:
CRITICAL: number
HIGH: number
MEDIUM: number
LOW: number
RoleArn: str
InterpolateWithDigest ¶
When the image comes from ECR, we can very easily identify the image digest (sha256) for it and use that instead of a tag. However not as human user friendly, this allows to always point to the same image regardless of tags change.
Type |
Boolean |
Default |
False |
Required |
False |
VulnerabilitiesScan ¶
Most companies running applications in AWS use the power of AWS ECR to store their docker images, and most use the free scan feature to detect security vulnerabilities by scanning the content of the images and match it against CVE databases.
To validate that the images that we are about to use, ECS Compose-X uses ECR Scan Reporter as a library to perform some images securities evaluations.
Type |
Object |
Default |
None |
Required |
False |
IgnoreFailure ¶
Boolean to indicate that, although you wanted the scan to be evaluated, it won’t stop compose-x execution.
Type |
Boolean |
Default |
True |
Required |
False |
TreatFailedAs ¶
When the scan status is FAILED (unsupported image for example), allow do define whether that is fine or not.
Type |
Boolean |
Default |
Failure |
Required |
False |
Allowed Values |
|
Thresholds ¶
Allows you to define the level for evaluation that you wish to have for stopping the execution.
Type |
Object |
Default |
CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 0 |
Required |
False |
Allowed Attributes |
|
RoleArn ¶
Warning
use with caution
This allows you to give a specific IAM role for probing ECR if the repository is shared across accounts.
Examples ¶
services:
grafana:
x-ecr:
InterpolateWithDigest: true
VulnerabilitiesScan:
IgnoreFailure: false
Thresholds:
CRITICAL: 0
HIGH: 5
MEDIUM: 10
LOW: 10
Requirements ¶
It uses ECR Scan Reporter as a library to communicate with AWS ECR and trigger actions. If ECR Scan Reporter is not installed, this is ignored all together, but won’t fail ECS Compose-X execution.
JSON Schema ¶
Model ¶
services.x-ecr specification ¶
services.x-ecr |
|||
The services.x-ecr specification for ComposeX |
|||
type |
object |
||
properties |
|||
|
#/definitions/ScanDef |
||
|
A role ARN to use for assume role for subsequent API calls to ECR |
||
type |
string |
||
|
When true, replaces the image tag with the image digest |
||
type |
boolean |
||
additionalProperties |
False |
||
definitions |
|||
|
type |
object |
|
properties |
|||
|
Whether or not the execution should fail if the scan is unsuccessful |
||
type |
boolean |
||
default |
False |
||
|
For images where scan was failed, ignore failure? |
||
type |
string |
||
enum |
Success, Failure |
||
|
type |
object |
|
properties |
|||
|
#/definitions/ThresholdDef |
||
|
#/definitions/ThresholdDef |
||
|
#/definitions/ThresholdDef |
||
|
#/definitions/ThresholdDef |
||
|
A role ARN to use for assume role for subsequent API calls to ECR |
||
type |
string |
||
|
type |
number |
|
minimum |
0 |
Definition ¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"id": "services.x-ecr",
"$id": "services.x-ecr.spec.json",
"type": "object",
"title": "services.x-ecr specification",
"description": "The services.x-ecr specification for ComposeX",
"additionalProperties": false,
"properties": {
"VulnerabilitiesScan": {
"$ref": "#/definitions/ScanDef"
},
"RoleArn": {
"type": "string",
"description": "A role ARN to use for assume role for subsequent API calls to ECR"
},
"InterpolateWithDigest": {
"type": "boolean",
"description": "When true, replaces the image tag with the image digest"
}
},
"definitions": {
"ScanDef": {
"type": "object",
"properties": {
"IgnoreFailure": {
"type": "boolean",
"description": "Whether or not the execution should fail if the scan is unsuccessful",
"default": false
},
"TreatFailedAs": {
"type": "string",
"enum": [
"Success",
"Failure"
],
"description": "For images where scan was failed, ignore failure?"
},
"Thresholds": {
"type": "object",
"properties": {
"CRITICAL": {
"$ref": "#/definitions/ThresholdDef"
},
"HIGH": {
"$ref": "#/definitions/ThresholdDef"
},
"MEDIUM": {
"$ref": "#/definitions/ThresholdDef"
},
"LOW": {
"$ref": "#/definitions/ThresholdDef"
}
}
},
"RoleArn": {
"type": "string",
"description": "A role ARN to use for assume role for subsequent API calls to ECR"
}
}
},
"ThresholdDef": {
"type": "number",
"minimum": 0
}
}
}