image-scanner-with-dockle
TypeScript icon, indicating that this package has built-in type declarations

1.1.0 • Public • Published

image-scanner-with-dockle

What is

This is an AWS CDK Construct that allows you to scan container images with Dockle in CDK deployment layer.

If it detects vulnerabilities, it can prevent the image from being pushed to the ECR for the application.

Since it takes an imageUri for ECR as an argument, it can also be used to simply scan an existing image in the repository.

For more information, please see this blog.

Dockle

Dockle is Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.

Usage

  • Install
npm install image-scanner-with-dockle
  • CDK Code
import { ImageScannerWithDockle } from 'image-scanner-with-dockle';

const repository = new Repository(this, 'ImageRepository', {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteImages: true,
});

const image = new DockerImageAsset(this, 'DockerImage', {
  directory: resolve(__dirname, './'),
});

const imageScanner = new ImageScannerWithDockle(this, 'ImageScannerWithDockle', {
  imageUri: image.imageUri,
  repository: image.repository, // for grantPull to CustomResourceLambda
  ignore: ['CIS-DI-0009'], // See https://github.com/goodwithtech/dockle#checkpoint-summary
});

// By adding addDependency, if the vulnerabilities are detected by ImageScannerWithDockle, the following ECRDeployment will not be executed, deployment will fail.
const ecrDeployment = new ECRDeployment(this, 'DeployImage', {
  src: new DockerImageName(image.imageUri),
  dest: new DockerImageName(`${repository.repositoryUri}:latest`),
});
ecrDeployment.node.addDependency(imageScanner);

API Reference

API Reference is here.

Package Sidebar

Install

npm i image-scanner-with-dockle

Weekly Downloads

143

Version

1.1.0

License

Apache-2.0

Unpacked Size

131 kB

Total Files

16

Last publish

Collaborators

  • k.goto