StackZone Feature: ECR Scanner

A new feature of StackZone v4.15.0 is the ECR Scanner. Amazon ECR is a container service which stands for Amazon Elastic Container Registry. It is where you push your images which are then used as a repository to then push your images to Amazon Elastic Container Services (ECS) to run as a container.

Push container images to Amazon ECR without installing or scaling infrastructure, and pull images using any management tool.

StackZone ECR Scanner will be able to scan your images and notify you if you breach your number of Critical, High, Medium, Low, Informational and/or Undefined vulnerabilities found. With your StackZone deployment, you are able to set these threshold numbers as high or as low as you want, for example;

• Critical Threshold: 1
• High Threshold: 1
• Medium Threshold: 25
• Low Threshold: 50
• Informational Threshold: 100
• Undefined Threshold: 0

These settings will mean that if your ECR Image once scanned, has 1 or more Criticial or High vulnerabilities found, StackZone will notify you and trigger the created alarm for this event.

Similarly, you will need 25 or more Medium vulnerabilities found, 50 or more Low vulnerabilities found or 100 or more Informational vulnerabilities found to trigger their respective alarms.

By setting the Undefined Threshold to 0 here however, we do not create the alarms and notifications for this level of vulnerability found. 

To start this process, you will need to navigate to the AWS Console and head to the Amazon ECR Dashboard.

Choose your repository and image you want to scan. Once you are here, select the "Scan" button to scan your desired image.

Your Amazon ECR Image scan is underway!

At this point, your StackZone ECR Scanner will begin scanning your selected image within Amazon ECR and create a log group which logs all the findings line by line, much like the example screenshot below. You are able to see information such as the CVE Number found and the severity of the vulnerability which has been discovered.

Should the number of found vulnerabilities of any given breach your chosen threshold for any given severity level, the alarm will be triggered. As you can see from the screenshot below, the number of Low, Medium and Informational vulnerabilities found does not breach the given thresholds, so this stays in "OK" mode.

The High and Critical Alarms are also in "OK" mode, but as their found number in the scan was 0, they have no data to count at this time. We treat missing data as insufficient, as treating it as "OK" will remove the alarm prematurely if we ever do trigger this by design in a future scan.

When these Alarms are triggered, we send a notification to the SNS Topic "StackZone-All-Notifications" which means if you are subscribed to this SNS Topic, you will be notified when this Alarm triggers.

When I Press the "Scan" button in ECR, I get an Error:

Amazon ECR Basic Scanning has a restriction that each container image may only be scanned once per 24 Hours.

If you are seeing this error appear when attempting to start a scan from the ECR Dashboard, please wait for the 24 Hour cooldown to pass before retrying.

I do not see any output from my ECR Scanner:

The ECR Scanner is a Lambda Function, you can check to see if this Function is having issues by navigating to this Lambda Function in your AWS account and check the following pieces;

- Check the function is built within the same region as your ECR Images attempting to scan

- Check the Lambda Function still has the appropriate execution role - it should be named "StackZone-ECRScannerRole-$(region)"

- Check to see if the Function has been invoked in the Monitor tab of the Lambda Function

- If it hasn't - we will need to investigate the EventBridge trigger.

- If it has, let's head over to the CloudWatch Logs created by the ECR Scanner Lambda Function to drill down further and investigate.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here