aws_ecr_image resource

[edit on GitHub]

Use the aws_ecr_image InSpec audit resource to test the properties of a single image in an AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.

Syntax

An aws_ecr_image resource block declares the tests for a single image in an AWS ECR repository by repository name and image identifier.

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  it { should exist }
end

Parameters

The repository name and the image identifier (either image_tag or image_digest) must be provided. The ID of the registry is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.

image_tag (required if image_digest not provided)

The tag used for the image. It can not be longer than 300 characters.

image_digest (required if image_tag not provided)

The sha256 digest of the image manifest. It must satisfy this regex pattern: [a-zA-Z0-9-_+.]+:[a-fA-F0-9]+.

registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.

Properties

Property Description
repository_name The name of the repository.
registry_id The AWS account ID associated with the registry that contains the repository.
tags The list of tags associated with this image.
vulnerability_severity_counts The image vulnerability counts, sorted by severity, e.g. {:high=>1}.
vulnerabilities A list of hashes with each key-value pair corresponding to an image scan findings. E.g. {:name=>"CVE-2019-14697", :uri=>"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", :severity=>"HIGH", :package_version=>"1.1.18-r3", :package_name=>"musl", :CVSS2_VECTOR=>"AV:N/AC:L/Au:N/C:P/I:P/A:P", :CVSS2_SCORE=>"7.5"}
cve_ids The list of CVE IDs of the vulnerabilities in the image.
highest_vulnerability_severity The CVSS v2 score of the most severe vulnerability in the image.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Test the scan status of an image

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('image_scan_status.status') { should eq 'COMPLETE' }
end

Test that an image has a certain tag

describe aws_ecr_image(repository_name: 'my-repo', image_digest: 'sha256:687fba9b76554c8dea4c40fed4144011f29b8e1d5db5f2fc976c64ed31894967') do
  its('tags') { should include('latest') }
end

Test that an image does not contain the Heartbleed vulnerability

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('cve_ids') { should_not include('CVE-2014-0160') }
end

Test that an image does not contain a vulnerability more severe than CVSS v2 score 8

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('highest_vulnerability_severity') { should be <= 8 }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
    it { should exist }
end

AWS Permissions

Your Principal will need the ecr:DescribeImages and ecr:DescribeImageScanFindings actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/aws_ecr_image/