Last active
April 26, 2021 22:55
-
-
Save Kapel/a9f8ac5bcb1f7e1db6aec88b3ee1a63b to your computer and use it in GitHub Desktop.
AWS ECR security scanner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This tiny script is used to run a security scan over the latest tags/images in each ECR repo. | |
#Set REGION_LIST | |
if [ "$#" -gt 0 ]; then | |
REGION_LIST=( "$@" ) | |
else | |
REGION_LIST=(eu-west-1 us-east-1) | |
fi | |
#get a list of all repositories | |
function getRepos () { | |
#$1 - region | |
if [ "$#" -ne 1 ]; then | |
echo "Illegal number of parameters" | |
else | |
aws ecr describe-repositories --region=$1 | jq '.repositories[].repositoryName' | tr -d '"' | |
fi | |
} | |
#get the latest tag from the repository | |
function getTags () { | |
#$1 - repo; $2 - region | |
if [ "$#" -ne 2 ]; then | |
echo "Illegal number of parameters" | |
else | |
aws ecr describe-images --output json --repository-name=$1 --region=$2 --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' | jq . --raw-output | |
fi | |
} | |
#start scan on a single tag in repo | |
function imageScan () { | |
#$1 - repo; $2 - image/tag; $3 - region | |
if [ "$#" -ne 3 ]; then | |
echo "Illegal number of parameters" | |
else | |
echo "Starting scanning for: repo: $1, image: $2, region: $3" | |
aws ecr start-image-scan --repository-name $1 --image-id imageTag=$2 --region=$3 | |
echo " " | |
fi | |
} | |
#iterate the security scan over all repositories | |
function startScan () { | |
for region in ${REGION_LIST[@]} | |
do | |
for repo in `getRepos $region` | |
do | |
for tag in `getTags $repo $region` | |
do | |
imageScan $repo $tag $region | |
done | |
done | |
done | |
} | |
startScan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment