Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ECR] [request]: Support for Distroless Image via Basic Vulnerability Scan in ECR- claircore #2228

Open
rgoltz opened this issue Dec 5, 2023 · 0 comments
Open

[ECR] [request]: Support for Distroless Image via Basic Vulnerability Scan in ECR- claircore #2228

rgoltz opened this issue Dec 5, 2023 · 0 comments
Labels
Proposed Community submitted issue

Comments

@rgoltz
Copy link

rgoltz commented Dec 5, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
If you currently scanning an Distroless-Image with Basic-Scan in ECR, you just getting no results via Console/API once Scan finished (Note: 'Fixing it' on AWS-side by returning an UnsupportedImageError would not help!). Hence, we like to get support for Distroless-Images in AWS ECR Basic Scanner!

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
AWS ECR Basic Scanning does not support Distroless-Images for detection of vulnerabilities. AWS ECR Basic Scanning using Clair. Futhermore, AWS Basic Scanner doesn't use the current upstream release (from claircore). Clair added support via quay/claircore#181 (in 2020) and quay/claircore#1018 (in 2023) - Maybe this helps to enable/re-implement Scanning in "ECR-Clair-codebase". Sure, there are still ongoing discussions via quay/claircore#969.

Are you currently working around this issue?
We using an Ubuntu images, which are per se more vulnerable! We like to switch to Distroless, as recommended by Envoy team (envoyproxy/envoy#31015 (comment))

Additional context
Here is a real life background: We are heavily relay on Envoy Proxy within our AWS ECR cluster setup (yes, we doesn't use the new, fancy AWS App Mesh - we are using patterns like: https://aws.amazon.com/de/blogs/compute/setting-up-an-envoy-front-proxy-on-amazon-ecs/). Envoy recently stopped built & provide Alpine Images. Having this said, now only Ubuntu-based and Distroless-based Images for Envoy Proxy are available. As a first step, we tried the Ubuntu-based Image: We saw a bunch of security issues, which we highlighted here: envoyproxy/envoy#31015 As a next steps, we moved to the Distroless-based Images of Envoy Proxy. Since we integrated ECR Basic Scanning within our Pipelines (proceed with deployment based on the return of Basic-Scan), a switch to Enhanced Scanning is not an (easy) option yet for us.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposed Community submitted issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rgoltz