AWS ECR security scanner

ecr-scanner.sh

#!/usr/bin/env bash

# This tiny script is used to run a security scan over the latest tags/images in each ECR repo. 

#Set REGION_LIST
if [ "$#" -gt 0 ]; then
	REGION_LIST=( "$@" )
else
	REGION_LIST=(eu-west-1 us-east-1)
fi

#get a list of all repositories
function getRepos () {
	#$1 - region
	if [ "$#" -ne 1 ]; then
    	echo "Illegal number of parameters"
	else
		aws ecr describe-repositories --region=$1 | jq '.repositories[].repositoryName' | tr -d '"'
	fi
}

#get the latest tag from the repository
function getTags () {
	#$1 - repo; $2 - region
	if [ "$#" -ne 2 ]; then
    	echo "Illegal number of parameters"
	else
		aws ecr describe-images --output json --repository-name=$1 --region=$2 --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | jq . --raw-output
	fi
}

#start scan on a single tag in repo
function imageScan () {
	#$1 - repo; $2 - image/tag; $3 - region
	if [ "$#" -ne 3 ]; then
    	echo "Illegal number of parameters"
	else
		echo "Starting scanning for: repo: $1, image: $2, region: $3"
		aws ecr start-image-scan --repository-name $1 --image-id imageTag=$2 --region=$3
		echo " "
	fi
}

#iterate the security scan over all repositories
function startScan () {
	for region in ${REGION_LIST[@]}
		do
			for repo in `getRepos $region`
				do
					for tag in `getTags $repo $region`
						do
							imageScan $repo $tag $region
						done
				done
		done
}

startScan