Giter VIP home page Giter VIP logo

ecrgate's Introduction

CircleCI codecov Go Report Card GPLv3 License

ecrgate

ecrgate is used to simplify the building, pushing and scanning of docker images into AWS ECR. It can build docker images, create AWS ECR repositories, push docker images, check AWS ECR scan results, etc...

The main usage for this tool is in CI pipelines where we want to fail a pipeline if a docker image does not pass specific thresholds of vulnerabilities.

Installation

Linux:

wget https://github.com/jdamata/ecrgate/releases/latest/download/ecrgate-linux-amd64
chmod u+x ecrgate-linux-amd64
mv ecrgate-linux-amd64 ~/bin/ecrgate

Mac:

wget https://github.com/jdamata/ecrgate/releases/latest/download/ecrgate-darwin-amd64
chmod u+x ecrgate-darwin-amd64
mv ecrgate-darwin-amd64 ~/bin/ecrgate

Flags

--repo is the only required flag.

$ go run main.go --help
Build, push and gate docker image promotion to ECR

Usage:
  ecrgate [flags]

Flags:
  -a, --accounts strings    List of AWS account ids to allow pulling images from
  -c, --clean               Delete image from ECR if scan fails threshold
      --critical int        Acceptable threshold for CRITICAL level results
  -d, --dockerfile string   Path to Dockerfile (default "./Dockerfile")
  -h, --help                help for ecrgate
  -i, --image               Existing docker image to pull down instead of building a new one
      --high int            Acceptable threshold for HIGH level results (default 3)
      --info int            Acceptable threshold for INFORMATIONAL level results (default 25)
      --low int             Acceptable threshold for LOW level results (default 10)
      --medium int          Acceptable threshold for MEDIUM level results (default 5)
  -r, --repo string         ECR repo to create and push image to
  -t, --tag string          Docker tag to build (default "latest")
  -s, --disable_scan        Skip checking AWS ECR scan results
      --version             version for ecrgate

Examples

# Use ecrgate defaults and local dir for Dockerfile
ecrgate --repo joel-test

# Specify path to Dockerfile, docker tag and delete image on failed scan
ecrgate --repo joel-test --dockerfile example/ --tag $(git describe --abbrev=0 --tags) --clean

# Specify threshold levels
ecrgate --repo joel-test --dockerfile example/ --tag $(git rev-parse --short HEAD) --clean \ 
  --info 10 --low 5 --medium 3 --high 2 --critical 1

# Use a remote image instead of building a local one
ecrgate --repo ingress-nginx --image quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

Requirements

  • Docker
  • AWS credentials

Sample IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1585513157885",
      "Action": [
        "ecr:BatchDeleteImage",
        "ecr:CreateRepository",
        "ecr:DescribeImageScanFindings",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:PutImageScanningConfiguration",
        "ecr:PutImageTagMutability"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

ecrgate's People

Contributors

jdamata avatar pcc-damatj avatar

Stargazers

 avatar

Watchers

 avatar  avatar

ecrgate's Issues

failed to get scan results

We need to add some retry mechanism or safety check here. This appears to be a race condition

time="2020-10-13T17:12:24Z" level=fatal msg="Failed to get scan results - ImageNotFoundException: The image with imageId {imageDigest:'null', imageTag:'cc5f0a3450f28e7566ad94dc63ec4578e4de9f03'} does not exist within the repository with name 'redacted' in the registry with id 'redacted'"

--accounts fails with invalid ecr policy

time="2020-10-27T20:37:32Z" level=error msg="Failed to add ECR policy - InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.