Skip to content

Instantly share code, notes, and snippets.

@usiusi360

usiusi360/vuls-ecr-scan.sh Secret

Last active November 19, 2018 02:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save usiusi360/8704fbbd1e9e8931db65aea53535c411 to your computer and use it in GitHub Desktop.
Save usiusi360/8704fbbd1e9e8931db65aea53535c411 to your computer and use it in GitHub Desktop.
Download ZIP
Vulnerability scanning of docker image registered in AWS ECR with FutureVuls
Raw
vuls-ecr-scan.sh
#!/bin/bash
BASE_URL="XXXXXXXXX.dkr.ecr.ap-northeast-1.amazonaws.com"
IGNORE="dev-,stg-"
SUFFIX="image"
export AWS_DEFAULT_REGION="ap-northeast-1"
export AWS_DEFAULT_OUTPUT="json"
##########
function progress() {
logger -i -s -p user.$1 "$2"
}
function get_repolist() {
local arr=( `echo ${IGNORE} | tr -s ',' ' '`)
local ignores=""
for ignore_str in ${arr[@]}; do
ignores="${ignores}|${ignore_str}"
done
ignores=`echo ${ignores} | sed 's/^|//g'`
aws ecr describe-repositories \
| jq -r ".repositories[].repositoryName" \
| sort \
| egrep -v "${ignores}"
}
function get_latest_tag() {
local taglist=()
for line in `get_repolist`
do
local repository_name=${line}
local tag=`aws ecr describe-images \
--repository-name ${repository_name} \
--filter '{"tagStatus": "TAGGED"}' \
| jq -r ".imageDetails[] | [.imagePushedAt, .repositoryName, .imageTags[] ] | @csv" \
| sort | sed 's/"//g' | tail -1`
taglist+=(${tag})
done
echo ${taglist[@]}
}
function login_ecr() {
progress notice "login ecr"
login_str=`aws ecr get-login --no-include-email --region ${AWS_DEFAULT_REGION}`
if [ $? -ne 0 ]; then
progress err "fail login ECR"
exit
fi
${login_str}
if [ $? -ne 0 ]; then
progress err "fail login ECR"
exit
fi
}
function start_container() {
login_ecr
progress notice "docker pull & docker run"
for line in `get_latest_tag`
do
repository_name=`echo ${line} | cut -d "," -f2`
image_tag=`echo ${line} | cut -d "," -f3`
progress notice "docker pull [${repository_name}: ${image_tag}]"
docker pull ${BASE_URL}/${repository_name}:${image_tag}
if [ $? -ne 0 ]; then
progress err "fail docker pull"
exit
fi
docker run --detach --rm --name ${SUFFIX}-${repository_name} --entrypoint="" ${BASE_URL}/${repository_name}:${image_tag} tail -f /dev/null
if [ $? -ne 0 ]; then
progress err "fail docker run"
exit
fi
done
}
function vuls_scan() {
progress notice "start vuls scan"
./vuls-saas.sh
if [ $? -ne 0 ]; then
progress err "fail vuls scan"
fi
}
function stop_container() {
progress notice "stop container"
docker kill $(docker ps -q -f name=${SUFFIX}-)
if [ $? -ne 0 ]; then
progress err "fail stop container"
fi
}
function delete_image() {
progress notice "delete old container images"
duplicate_images=`docker images | cut -d " " -f1 | sort | uniq -d`
for line in ${duplicate_images}
do
docker rmi -f `docker images | grep $line | tail -n +2 | awk '{print $3}'`
done
}
##### MAIN
cd $(dirname $0)
start_container
vuls_scan
stop_container
delete_image
@usiusi360
Copy link
Author

usiusi360 commented Aug 15, 2018
edited

config.toml

[default]

[servers]

  [servers.ip-192-168-0-XXX]
    user = "vuls-saas"
    host = "localhost"
    port = "local"
    scanMode = ["fast"]
    containersIncluded = ["${running}"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment