npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@michelangelo17/cdk-ecr-enhanced-scanning

v1.3.0

Published

This project provides a CDK (Cloud Development Kit) construct library for enabling Enhanced Scanning on Amazon ECR (Elastic Container Registry) repositories.

Downloads

16

Readme

CDK ECR Enhanced Scanning

This project provides a CDK (Cloud Development Kit) construct library for enabling Enhanced Scanning on Amazon ECR (Elastic Container Registry) repositories.

Overview

The EnhancedScanning construct allows you to easily enable and configure Enhanced Scanning for your ECR repositories using AWS CDK. This feature leverages Amazon Inspector to provide vulnerability scanning for container images.

Installation

To install this construct library, run the following command in your project directory:

npm install @michelangelo17/cdk-ecr-enhanced-scanning

Usage

Here's an example of how to use the EnhancedScanning construct in your CDK stack:

import { Stack, StackProps } from "aws-cdk-lib"
import { Construct } from "constructs"
import { Repository } from "aws-cdk-lib/aws-ecr"
import { EnhancedScanning } from "@michelangelo17/cdk-ecr-enhanced-scanning"
export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props)
    // Create an ECR repository
    const repository = new Repository(this, "MyRepository")
    // Enable Enhanced Scanning for the repository
    const enhancedScanning = new EnhancedScanning(this, "EnhancedScanning", {
      repository: repository,
    })
    // Optionally, add CDK Nag suppressions
    enhancedScanning.addNagSuppressions(this)
  }
}

Configuration Options

The EnhancedScanning construct accepts the following property:

  • repository: The ECR repository to enable enhanced scanning for (required).

CDK Nag Suppressions

The construct includes a method to add CDK Nag suppressions for known issues. To use it, call the addNagSuppressions method on your EnhancedScanning instance, passing the current stack as an argument:

new EnhancedScanning(this, "EnhancedScanning", {
  repository: repository,
  rules: [
    {
      scanFrequency: "SCAN_ON_PUSH",
      repositoryFilters: [
        {
          filter: "prod-*",
          filterType: "WILDCARD",
        },
      ],
    },
  ],
})

CDK Nag Suppressions

The construct includes a method to add CDK Nag suppressions for the warnings that are raised. To use it, call the addNagSuppressions method on your EnhancedScanning instance, passing the current stack as an argument:

enhancedScanning.addNagSuppressions(this)

This will suppress the following warnings related to IAM permissions required for the Lambda function and custom resource provider:

  1. AwsSolutions-IAM4: This warning is raised because the Lambda function uses the AWS managed policy AWSLambdaBasicExecutionRole. While it's generally recommended to create custom IAM policies, this managed policy is required for basic Lambda execution and logging.
  2. AwsSolutions-IAM5: This warning occurs due to the use of wildcard permissions in the IAM policy. The Lambda function requires these permissions to interact with ECR and Inspector services. While more restrictive policies are generally preferred, the nature of this construct requires these permissions to function correctly.

These warnings are suppressed for both the main Lambda function (EnableScanLambda) and the custom resource provider's Lambda function (EnableScanCustomResource/framework-onEvent).

The specific permissions added to the Lambda function are:

// Add IAM permissions to the Lambda function
this.enableScanLambda.addToRolePolicy(
  new PolicyStatement({
    actions: [
      "inspector2:Enable",
      "inspector2:ListAccountPermissions",
      "iam:CreateServiceLinkedRole",
    ],
    resources: ["*"],
    effect: Effect.ALLOW,
    conditions: {
      StringEqualsIfExists: {
        "iam:AWSServiceName": "inspector2.amazonaws.com",
      },
    },
  })
)

// Add a scoped-down policy for PutRegistryScanningConfiguration
this.enableScanLambda.addToRolePolicy(
  new PolicyStatement({
    actions: ["ecr:PutRegistryScanningConfiguration"],
    resources: [props.repository.repositoryArn],
    effect: Effect.ALLOW,
  })
)

These permissions are necessary for the Lambda function to:

  • Configure ECR scanning settings
  • Enable Amazon Inspector
  • Create the necessary service-linked role for Inspector

Users should be aware of these permissions and ensure they align with their security requirements. If more restrictive permissions are needed, users may need to modify the construct or implement additional security controls in their environment.

License

This project is licensed under the MIT License. See the LICENSE file for more details.