def test_ecr_scan(image, ecr_client): """ Run ECR Scan Tool on an image being tested, and raise Error if vulnerabilities found 1. Start Scan. 2. For 5 minutes (Run DescribeImages): (We run this for 5 minutes because the Scan is expected to complete in about 2 minutes, though no analysis has been performed on exactly how long the Scan takes for a DLC image. Therefore we also have a 3 minute buffer beyond the expected amount of time taken.) 3.1. If imageScanStatus == COMPLETE: exit loop 3.2. If imageScanStatus == IN_PROGRESS or AttributeNotFound(imageScanStatus): continue loop 3.3. If imageScanStatus == FAILED: raise RuntimeError 4. If DescribeImages.imageScanStatus != COMPLETE: raise TimeOutError 5. assert imageScanFindingsSummary.findingSeverityCounts.HIGH/CRITICAL == 0 :param image: str Image URI for image to be tested :param ecr_client: boto3 Client for ECR """ scan_status = None start_time = time() ecr_utils.start_ecr_image_scan(ecr_client, image) while (time() - start_time) <= 600: scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status(ecr_client, image) if scan_status == "FAILED" or scan_status not in [None, "IN_PROGRESS", "COMPLETE"]: raise RuntimeError(scan_status_description) if scan_status == "COMPLETE": break sleep(1) if scan_status != "COMPLETE": raise TimeoutError(f"ECR Scan is still in {scan_status} state. Exiting.") severity_counts = ecr_utils.get_ecr_image_scan_severity_count(ecr_client, image) assert not ( severity_counts.get("HIGH", 0) or severity_counts.get("CRITICAL", 0) ), f"Found vulnerabilities in image {image}: {str(severity_counts)}"
def run_scan(ecr_client, image): scan_status = None start_time = time() ecr_utils.start_ecr_image_scan(ecr_client, image) while (time() - start_time) <= 600: scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status(ecr_client, image) if scan_status == "FAILED" or scan_status not in [None, "IN_PROGRESS", "COMPLETE"]: raise ECRScanFailureException(f"ECR Scan failed for {image} with description: {scan_status_description}") if scan_status == "COMPLETE": break sleep(1) if scan_status != "COMPLETE": raise TimeoutError(f"ECR Scan is still in {scan_status} state. Exiting.")
def test_ecr_scan(image, ecr_client, sts_client, region): """ Run ECR Scan Tool on an image being tested, and raise Error if vulnerabilities found 1. Start Scan. 2. For 5 minutes (Run DescribeImages): (We run this for 5 minutes because the Scan is expected to complete in about 2 minutes, though no analysis has been performed on exactly how long the Scan takes for a DLC image. Therefore we also have a 3 minute buffer beyond the expected amount of time taken.) 3.1. If imageScanStatus == COMPLETE: exit loop 3.2. If imageScanStatus == IN_PROGRESS or AttributeNotFound(imageScanStatus): continue loop 3.3. If imageScanStatus == FAILED: raise RuntimeError 4. If DescribeImages.imageScanStatus != COMPLETE: raise TimeOutError 5. assert imageScanFindingsSummary.findingSeverityCounts.HIGH/CRITICAL == 0 :param image: str Image URI for image to be tested :param ecr_client: boto3 Client for ECR :param sts_client: boto3 Client for STS :param region: str Name of region where test is executed """ test_account_id = sts_client.get_caller_identity().get("Account") image_account_id = get_account_id_from_image_uri(image) if image_account_id != test_account_id: image = _reupload_image_to_test_ecr(image, ecr_client, region, test_account_id) minimum_sev_threshold = "HIGH" scan_status = None start_time = time() ecr_utils.start_ecr_image_scan(ecr_client, image) while (time() - start_time) <= 600: scan_status, scan_status_description = ecr_utils.get_ecr_image_scan_status( ecr_client, image) if scan_status == "FAILED" or scan_status not in [ None, "IN_PROGRESS", "COMPLETE" ]: raise RuntimeError(scan_status_description) if scan_status == "COMPLETE": break sleep(1) if scan_status != "COMPLETE": raise TimeoutError( f"ECR Scan is still in {scan_status} state. Exiting.") severity_counts = ecr_utils.get_ecr_image_scan_severity_count( ecr_client, image) scan_results = ecr_utils.get_ecr_image_scan_results( ecr_client, image, minimum_vulnerability=minimum_sev_threshold) assert all( count == 0 for sev, count in severity_counts.items() if CVESeverity[sev] >= CVESeverity[minimum_sev_threshold]), ( f"Found vulnerabilities in image {image}: {str(severity_counts)}\n" f"Vulnerabilities: {json.dumps(scan_results, indent=4)}")