Scan image using AWS ECR
Build, push, a scan a Docker image for security vulnerabilities using AWS ECR.
Use template →1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23env: ROLE_ARN: arn:aws:iam::$AWS_ACCOUNT_ID:role/my-role IMAGE_NAME: $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/my-repo steps: - label: ":ecr: Push image" key: "push" command: | docker build --platform=linux/amd64 -t $IMAGE_NAME:$BUILDKITE_BUILD_NUMBER . docker push $IMAGE_NAME:$BUILDKITE_BUILD_NUMBER plugins: - aws-assume-role-with-web-identity#v1.0.0: role_arn: $ROLE_ARN - ecr#v2.8.0: login: true - label: ":ecr: Scan image" depends_on: "push" plugins: - aws-assume-role-with-web-identity#v1.0.0: role-arn: $ROLE_ARN - cultureamp/ecr-scan-results#v1.5.0: image-name: $IMAGE_NAME:$BUILDKITE_BUILD_NUMBER
- Use cases
- Security, Continuous integration
- Platforms
- AWS
- Tools
- Docker
Scan image using AWS ECR
Build, push, a scan a Docker image for security vulnerabilities using AWS ECR.
Use template →Scan image using AWS ECR
This templates gives you a continuous deployment (CI) pipeline that builds and pushes a Docker image to AWS ECR for image security scanning.
At a glance:
- For Docker images
- Requires the AWS CLI
- Uses the AWS Assume Role plugin to access AWS credentials
- Uses the ECR Scan Results plugin for configuring ECR image scanning
How it works
This template:
- Builds a Docker image
- Assumes an AWS role using the AWS Assume Role with Web Identity plugin.
- Pushes a tagged Docker image to an AWS ECR registry.
- Audits for security vulerabilities using AWS ECR image scanning.
Next steps
After you select Use template, you’ll:
- Connect the Git repository with your project.
- Using an AWS IAM role with the appropriate ECR policies, replace the placeholder
ROLE_ARNin the pipeline definition. in the pipeline definition to match your project. - Configure the compute—run locally, on-premises, or in the cloud.
- Run the pipeline.
You can then play around with the pipeline settings. For example, run the pipeline locally while you iterate on the definition or set a schedule to trigger a nightly build.
If you need help, please check our documentation, raise an issue , or reach out to support.