services.x-ecr

services:
  serviceA:
    image: 012345678912.dkr.region.amazonaws.com/repo:tag
    x-ecr:
      InterpolateWithDigest: bool
      VulnerabilitiesScan:
        IgnoreFailure: bool
        TreatFailedAs: str
        Thresholds:
          CRITICAL: number
          HIGH: number
          MEDIUM: number
          LOW: number
        RoleArn: str

InterpolateWithDigest

When the image comes from ECR, we can very easily identify the image digest (sha256) for it and use that instead of a tag. However not as human user friendly, this allows to always point to the same image regardless of tags change.

Type

Boolean

Default

False

Required

False

VulnerabilitiesScan

Most companies running applications in AWS use the power of AWS ECR to store their docker images, and most use the free scan feature to detect security vulnerabilities by scanning the content of the images and match it against CVE databases.

To validate that the images that we are about to use, ECS Compose-X uses ECR Scan Reporter as a library to perform some images securities evaluations.

Type

Object

Default

None

Required

False

IgnoreFailure

Boolean to indicate that, although you wanted the scan to be evaluated, it won’t stop compose-x execution.

Type

Boolean

Default

True

Required

False

TreatFailedAs

When the scan status is FAILED (unsupported image for example), allow do define whether that is fine or not.

Type

Boolean

Default

Failure

Required

False

Allowed Values

  • Success

  • Failure

Thresholds

Allows you to define the level for evaluation that you wish to have for stopping the execution.

Type

Object

Default

CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 0

Required

False

Allowed Attributes

  • CRITICAL

  • HIGH

  • MEDIUM

  • LOW

RoleArn

Warning

use with caution

This allows you to give a specific IAM role for probing ECR if the repository is shared across accounts.

Examples

services:
  grafana:
    x-ecr:
      InterpolateWithDigest: true
      VulnerabilitiesScan:
        IgnoreFailure: false
        Thresholds:
          CRITICAL: 0
          HIGH: 5
          MEDIUM: 10
          LOW: 10

Requirements

It uses ECR Scan Reporter as a library to communicate with AWS ECR and trigger actions. If ECR Scan Reporter is not installed, this is ignored all together, but won’t fail ECS Compose-X execution.

JSON Schema

Model

services.x-ecr specification

services.x-ecr

The services.x-ecr specification for ComposeX

type

object

properties

  • VulnerabilitiesScan

#/definitions/ScanDef

  • RoleArn

A role ARN to use for assume role for subsequent API calls to ECR

type

string

  • InterpolateWithDigest

When true, replaces the image tag with the image digest

type

boolean

additionalProperties

False

definitions

  • ScanDef

type

object

properties

  • IgnoreFailure

Whether or not the execution should fail if the scan is unsuccessful

type

boolean

default

False

  • TreatFailedAs

For images where scan was failed, ignore failure?

type

string

enum

Success, Failure

  • Thresholds

type

object

properties

  • CRITICAL

#/definitions/ThresholdDef

  • HIGH

#/definitions/ThresholdDef

  • MEDIUM

#/definitions/ThresholdDef

  • LOW

#/definitions/ThresholdDef

  • RoleArn

A role ARN to use for assume role for subsequent API calls to ECR

type

string

  • ThresholdDef

type

number

minimum

0

Definition

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "id": "services.x-ecr",
  "$id": "services.x-ecr.spec.json",
  "type": "object",
  "title": "services.x-ecr specification",
  "description": "The services.x-ecr specification for ComposeX",
  "additionalProperties": false,
  "properties": {
    "VulnerabilitiesScan": {
      "$ref": "#/definitions/ScanDef"
    },
    "RoleArn": {
      "type": "string",
      "description": "A role ARN to use for assume role for subsequent API calls to ECR"
    },
    "InterpolateWithDigest": {
      "type": "boolean",
      "description": "When true, replaces the image tag with the image digest"
    }
  },
  "definitions": {
    "ScanDef": {
      "type": "object",
      "properties": {
        "IgnoreFailure": {
          "type": "boolean",
          "description": "Whether or not the execution should fail if the scan is unsuccessful",
          "default": false
        },
        "TreatFailedAs": {
          "type": "string",
          "enum": [
            "Success",
            "Failure"
          ],
          "description": "For images where scan was failed, ignore failure?"
        },
        "Thresholds": {
          "type": "object",
          "properties": {
            "CRITICAL": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "HIGH": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "MEDIUM": {
              "$ref": "#/definitions/ThresholdDef"
            },
            "LOW": {
              "$ref": "#/definitions/ThresholdDef"
            }
          }
        },
        "RoleArn": {
          "type": "string",
          "description": "A role ARN to use for assume role for subsequent API calls to ECR"
        }
      }
    },
    "ThresholdDef": {
      "type": "number",
      "minimum": 0
    }
  }
}