For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
With Inspectors ability to identify programming language vulnerabilities, how can I incorporate that into my CI/CD Pipeline?
Inspector has a new ability, I want to be able to incorporate that into my CI/CD pipeline so that when it identifies them it pulls in the remediation and runs it through our CI/CD pipeline so we can keep everything up to date from a security perspective.
- Language
- English
- Newest
- Most votes
- Most comments
I would look at the Inspector CI/CD intergation which you can incorporate into your build process
The Amazon Inspector CI/CD integration utilizes the Amazon Inspector SBOM Generator and Amazon Inspector Scan API to produce vulnerability reports for container images. The Amazon Inspector SBOM Generator creates a software bill of materials (SBOM) for archives, container images, directories, local systems, and compiled Go and Rust binaries. The Amazon Inspector Scan API scans the SBOM to create a report with details about detected vulnerabilities. You can integrate Amazon Inspector container image scans with your CI/CD pipeline to scan for software vulnerabilities and produce vulnerability reports, which allow you to investigate and remediate risks before deployment.
The following is an overview of how an Amazon Inspector CI/CD integration works through plugins:
- You configure an AWS account to allow access to the Amazon Inspector Scan API. For instructions, see Setting up an AWS account to use the Amazon Inspector CI/CD integration.
- You install the Amazon Inspector plugin from the marketplace.
- You install and configure the Amazon Inspector SBOM Generator binary. For instructions, see Amazon Inspector SBOM Generator.
- You add Amazon Inspector Scans as a build step in your CI/CD pipeline and configure the scan.
- When you run a build, the plugin takes your container image as input and then runs the Amazon Inspector SBOM Generator on the image to generate a CycloneDX compatible SBOM.
- From there, the plugin sends the generated SBOM to an Amazon Inspector Scan API endpoint which assesses each SBOM component for vulnerabilities.
- The Amazon Inspector Scan API response is transformed into a vulnerability report in CSV, SBOM JSON, and HTML formats. The report contains details about any vulnerabilities that Amazon Inspector found.
Information Source:- https://docs.aws.amazon.com/inspector/latest/user/scanning-cicd.html
Hello.
This is unrelated to the update you mentioned, but there is an action in CodePipeline called InspectorScan.
Using this, you can scan ECR images with Amazon Inspector in your CI/CD pipeline.
https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-InspectorScan.html
I don't have an answer but I do have a suggestion.
This is a cool feature, however, I don't feel this should be part of a pipeline. For example, it will provide information on last used, which ECS/EKS cluster is using it but these information will become available after the image has been used for a while, not at the time of building / deploying it.
I feel, instead of making it part of the pipeline, you can consider enabling enhanced scanning by default through your ECR console. That way, you will get all the vulnerability and usage information across the account. From experience, I have seen security vulnerabilities being set to "continue_on_failure" and being overlooked.
Relevant content
- AWS OFFICIALUpdated 22 days ago
