Skip to content

The AWS CDK Construct library to allow you to scan a container image during CDK deployment layer with Dockle.

License

Notifications You must be signed in to change notification settings

go-to-k/image-scanner-with-dockle

Repository files navigation

image-scanner-with-dockle

What is

This is an AWS CDK Construct that allows you to scan container images with Dockle in CDK deployment layer.

If it detects vulnerabilities, it can prevent the image from being pushed to the ECR for the application.

Since it takes an imageUri for ECR as an argument, it can also be used to simply scan an existing image in the repository.

For more information, please see this blog.

Dockle

Dockle is Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.

Usage

  • Install
npm install image-scanner-with-dockle
  • CDK Code
import { ImageScannerWithDockle } from 'image-scanner-with-dockle';

const repository = new Repository(this, 'ImageRepository', {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteImages: true,
});

const image = new DockerImageAsset(this, 'DockerImage', {
  directory: resolve(__dirname, './'),
});

const imageScanner = new ImageScannerWithDockle(this, 'ImageScannerWithDockle', {
  imageUri: image.imageUri,
  repository: image.repository, // for grantPull to CustomResourceLambda
  ignore: ['CIS-DI-0009'], // See https://github.com/goodwithtech/dockle#checkpoint-summary
});

// By adding addDependency, if the vulnerabilities are detected by ImageScannerWithDockle, the following ECRDeployment will not be executed, deployment will fail.
const ecrDeployment = new ECRDeployment(this, 'DeployImage', {
  src: new DockerImageName(image.imageUri),
  dest: new DockerImageName(`${repository.repositoryUri}:latest`),
});
ecrDeployment.node.addDependency(imageScanner);

API Reference

API Reference is here.