ecranner 0.0.2
ECRanner
This is that scan the vulnerability of Docker images stored in ECR.
Table of contents
Feature
Get Started
Install Prerequirements
Install ECRanner
Write ecranner.yml
Execute
Configuration Parameter
Command options
Feature
Pull Docker Image From ECR
Support multi account
Vulnerability Scan
Trivy detects software (OS package and application library) vulnerabilities in Docker Image
Slack Integration
Push vulnerability information to Slack. Slack UI is as following:
Get Started
Install Prerequirements
Trivy
Git (Used with Trivy)
Install ECRanner
pip install ecranner
Write ecranner.yml
A ecranner.yml looks like this:
aws:
stg:
account_id: xxxxxxxxx
region: us-east-1
aws_access_key_id: xxxxxxxxx
aws_secret_access_key: xxxxxxxxx
images:
- image:latest
- image:1.0-dev
prod:
account_id: xxxxxxxxx
region: us-east-1
aws_access_key_id: xxxxxxxxx
aws_secret_access_key: xxxxxxxxx
images:
- image:1.4
- image:5.3
trivy:
path: ~/user/.local/bin/trivy
options: --severity CRITICAL -q
Execute
ecranner
You execute the above and then output the scan result to the console as follows:
[ { 'Target': 'image_name:latest'
'(alpine 3.10.1)',
'Vulnerabilities': [ { 'Description': 'aa_read_header in '
'libavformat/aadec.c in FFmpeg '
'before 3.2.14 and 4.x before 4.1.4 '
'does not check for sscanf failure '
'and consequently allows use of '
'uninitialized variables.',
'FixedVersion': '4.1.4-r0',
'InstalledVersion': '4.1.3-r1',
'PkgName': 'ffmpeg',
'References': [ 'https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.1.4',
'https://github.com/FFmpeg/FFmpeg/commit/ed188f6dcdf0935c939ed813cf8745d50742014b',
'https://github.com/FFmpeg/FFmpeg/compare/a97ea53...ba11e40',
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12730',
'http://www.securityfocus.com/bid/109317',
'https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9b4004c054964a49c7ba44583f4cee22486dd8f2'],
'Severity': 'HIGH',
'Title': '',
'VulnerabilityID': 'CVE-2019-12730'}
Configuration Parameter
Specify to use parameter in ecranner.yml.
v1.0
Command options
option
required
default
description
-f, --file
false
./ecranner.yml
Filepath to configuration in YAML.Specify this option if you change configuration filename.
--env-file
false
./.env
Specify .env file path.Automatically load .env file if this file is found in current directory.
--slack
false
N/A
Send the scan result to Slack.If you use this option, set incoming webhooks url as system environment variable like this:export SLACK_WEBHOOK=https://xxxxxxxxxx
--rm
false
N/A
Remove images after scan with Trivy.
-q, --quiet
false
N/A
Suppress logging message.
--no-cache
false
N/A
Implement in the future, so you can not use this optionDisable to store cache.This command does not use cache, but Trivy command use cache.
-h, --help
false
N/A
Show command option usage.
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
There are no reviews.