Working with AWS Inspector ECR Findings - How do you do it?

Question

I've enabled AWS Inspector and Security hub across my organization with all scanning modes. Ideally, I'd like to use either the official Jira Service Management integration or the aws-samples version for Jira software (https://github.com/aws-samples/aws-securityhub-jira-software-integration) as a way of integrating these findings into something that lets me manage them.

The problem is, when I look at the findings for ECR I can see there are a lot of duplications and would therefore create a lot of noise and duplicate tickets. This is because the same vulnerability is detected across every image in the repo (there are hundreds in each repo). Which is then magnified again when the same base image is used across multiple repos (there are about 50 repos). Really, I only care if a vulnerability is detected in the most recent image.

I tried creating a suppression rule but Inspector's suppression rules are way too basic. Say I want to suppress any image that does not have the "latest" tag. This means any image that has both the "latest" tag and another tag of any name is then suppressed. So either I have to create a separate repo specifically for inspector scans or I make sure the tag I want to scan has a different digest somehow.

I guess all of this is to compensate for a Jira integration that doesn't handle the aggregation. So my question really is, how do you consume and act on Inspector findings?

Answer

Hello,

When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, which is provided at no charge by Amazon ECR, with Enhanced scanning, which is provided and billed through Amazon Inspector [1]

Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level. Continuous scanning includes on-push scans and automated rescans. On-push scanning scans only when you initially push an image. For both options, you can refine the scanning scope through inclusion filters.

Also automated re scans are triggered for container images based on whether you use the continuous or on-push option in your Enhanced scanning settings.

Configuring enhanced scanning for Amazon ECR repositories: 
-----------------------------------------------------------------------

1. Open the Amazon ECR console  
2. Select the Region that contains the repositories that you want to scan.  
3.  In the navigation pane, choose Private registry, then choose Scanning.  
4.  In the Scanning configuration section, choose Edit.  
5.  Under Scan type, choose Enhanced scanning.      
        By default, the Continuously scan all repositories option is selected which turns on complete Amazon Inspector scan coverage for all repositories. Deselect that option and select Scan on push all repositories to run scans only on initial push of an image.  
6. (Optional) Specify which repositories to include in scans for continuous or on-push scans by entering the repository names in the input box and selecting Add filter.  
7. Choose Save. 
8. (Recommended) Repeat these steps in each AWS Region for which you want to activate Amazon Inspector scans for Amazon ECR repositories.

Now to Act upon Inspector findings, kindly find below link [2]  which mentions all the  bulletins for security or privacy events pertaining to the Amazon Linux AMI.

Thank you,

References :   
[1] https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html 
[2] https://alas.aws.amazon.com/

Working with AWS Inspector ECR Findings - How do you do it?

Configuring enhanced scanning for Amazon ECR repositories:

Relevant content