Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cli): docker image asset scanning by default #4874

Merged
merged 4 commits into from
Nov 8, 2019
Merged

feat(cli): docker image asset scanning by default #4874

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8370551
feat(toolkit): configure image scanning on push
jogold Nov 6, 2019
e8d1953
Merge branch 'master' into ecr-image-scan
mergify[bot] Nov 8, 2019
f2be17c
dummy change to trigger build
jogold Nov 8, 2019
9d50971
Merge branch 'master' into ecr-image-scan
mergify[bot] Nov 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion packages/aws-cdk/lib/api/toolkit-info.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,14 @@ export class ToolkitInfo {
lifecyclePolicyText: JSON.stringify(DEFAULT_REPO_LIFECYCLE)
}).promise();

// Configure image scanning on push (helps in identifying software vulnerabilities, no additional charge)
await ecr.putImageScanningConfiguration({
repositoryName,
imageScanningConfiguration: {
scanOnPush: true
}
}).promise();

return {
repositoryUri: repository.repositoryUri!,
repositoryName
Expand Down Expand Up @@ -244,7 +252,7 @@ function getOutputValue(stack: aws.CloudFormation.Stack, output: string): string
return result;
}

const DEFAULT_REPO_LIFECYCLE = {
export const DEFAULT_REPO_LIFECYCLE = {
rules: [
{
rulePriority: 100,
Expand Down
73 changes: 72 additions & 1 deletion packages/aws-cdk/test/test.docker.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import cxapi = require('@aws-cdk/cx-api');
import { Test } from 'nodeunit';
import sinon = require('sinon');
import { ToolkitInfo } from '../lib';
import { DEFAULT_REPO_LIFECYCLE, ToolkitInfo } from '../lib';
import { prepareContainerAsset } from '../lib/docker';
import os = require('../lib/os');
import { MockSDK } from './util/mock-sdk';
Expand Down Expand Up @@ -102,6 +102,77 @@ export = {
test.done();
},

async 'configures lifecycle policy and image scanning'(test: Test) {
// GIVEN
let putLifecyclePolicyParams;
let putImageScanningConfigurationParams;

const sdk = new MockSDK();
sdk.stubEcr({
describeRepositories() {
return { repositories: [] };
},

createRepository() {
return {
repository: {
repositoryUri: 'uri'
}
};
},

putLifecyclePolicy(params) {
putLifecyclePolicyParams = params;
return {};
},

putImageScanningConfiguration(params) {
putImageScanningConfigurationParams = params;

// Stop the test so that we don't actually docker build
throw new Error('STOPTEST');
}
});

const toolkit = new ToolkitInfo({
sdk,
bucketName: 'BUCKET_NAME',
bucketEndpoint: 'BUCKET_ENDPOINT',
environment: { name: 'env', account: '1234', region: 'abc' }
});

// WHEN
const asset: cxapi.ContainerImageAssetMetadataEntry = {
id: 'assetId',
imageNameParameter: 'MyParameter',
packaging: 'container-image',
path: '/foo',
repositoryName: 'some-name',
sourceHash: '0123456789abcdef',
};

try {
await prepareContainerAsset('.', asset, toolkit, false);
} catch (e) {
if (!/STOPTEST/.test(e.toString())) { throw e; }
}

// THEN
test.deepEqual(putLifecyclePolicyParams, {
repositoryName: 'some-name',
lifecyclePolicyText: JSON.stringify(DEFAULT_REPO_LIFECYCLE)
});

test.deepEqual(putImageScanningConfigurationParams, {
repositoryName: 'some-name',
imageScanningConfiguration: {
scanOnPush: true
}
});

test.done();
},

async 'passes the correct target to docker build'(test: Test) {
// GIVEN
const toolkit = new ToolkitInfo({
Expand Down