DEV Community

k.goto for AWS Community Builders

Posted on • Edited on

Container image scanning with Dockle in AWS CDK

Overview

A Construct for AWS CDK, which uses Dockle to perform security diagnostics on container images, is published on Construct Hub.


Dockle

Dockle is a container image vulnerability inspection and diagnostic tool that warns and suggests remedies for vulnerabilities in an image built from a Dockerfile.


Advantages for this Construct

This Construct can do the following

  • Scan container images with Dockle in the CDK layer (in cdk deploy).
  • Avoid unnecessary builds and use assets from images built in CDK deploy.
  • Stop application image push to ECR when vulnerabilities are detected.

image-scanner-with-dockle

The Construct I created this time has been published on Construct Hub under the name "image-scanner-with-dockle".

In addition, it is necessary to publish to npm in advance for Construct Hub publication, and the page as an npm package is shown below, see this page.

And while you're at it, take a look at GitHub if you like.


How to use

Install

First, install in the CDK repository.

npm install image-scanner-with-dockle
Enter fullscreen mode Exit fullscreen mode

Use Construct

new ImageScannerWithDockle is the corresponding Construct.

    this.repository = new Repository(this, "ImageRepository", {
      removalPolicy: RemovalPolicy.DESTROY,
      autoDeleteImages: true,
    });

    const image = new DockerImageAsset(this, "DockerImage", {
      directory: resolve(__dirname, "../../.."),
    });

    const imageScannerWithDockle = new ImageScannerWithDockle(this, "ImageScannerWithDockle", {
      imageUri: image.imageUri,
      repository: image.repository,
      ignore: ["CIS-DI-0009"],
    });

    // By adding addDependency, if the vulnerabilities are detected by ImageScannerWithDockle, the following ECRDeployment will not be executed, deployment will fail.
    const ecrDeployment = new ECRDeployment(this, "DeployImage", {
      src: new DockerImageName(image.imageUri),
      dest: new DockerImageName(`${this.repository.repositoryUri}:${props.ecrTag}`),
    });
    ecrDeployment.node.addDependency(imageScannerWithDockle);
Enter fullscreen mode Exit fullscreen mode

Stop image push on vulnerability detection

As shown in the example above, ecrDeployment.node.addDependency(imageScannerWithDockle) will make ECRDeployment depends on ImageScannerWithDockle so that ImageScannerWithDockle is executed first. ImageScannerWithDockle will stop pushing images to the application ECR if it detects a vulnerability.

ignore

Rules you want to ignore can be specified in the ignore parameter. If nothing is to be ignored, the ignore parameter can be omitted.

    const imageScannerWithDockle = new ImageScannerWithDockle(this, "ImageScannerWithDockle", {
      imageUri: image.imageUri,
      repository: image.repository,
      ignore: ["CIS-DI-0002", "CIS-DI-0003"],
    });
Enter fullscreen mode Exit fullscreen mode

See the page for the types of ignore rules.

SingletonFunction

This construct uses a custom resource Lambda in AWS CDK.

You will create (call) ImageScannerWithDockle many times when building multiple images in one stack, and it would be a waste to generate several Lambda functions with the same code each time.

Here, this Construct uses a Construct called SingletonFunction to generate and use only one Lambda so that the same Lambda can be used inside the AWS CDK no matter how many times it is called.

An example of actual use, in source code, is here.


Trivy version

I used Dockle for this project, but I have also published a library that uses Trivy, if you would like to use it!


Finally

I made this because there was a case where I wanted to perform image scanning by Dockle in an environment that fully utilizes AWS CDK.

Top comments (0)