(@aws-cdk/aws-ecr-assets): DockerImageAsset - can't tell which images are outdated, and where they came from
See original GitHub issueDescription
I got the results back from a 3rd part security test of our AWS account. The results included this finding:
Amazon Elastic Container Registry (ECR) repositories had vulnerabilities identified by the ECR scanning service.
And it listed the affected assets. They were all CDK assets.
aws-cdk/assets:157c44972d2cfea90aa4428e8b06b6527062d992e06eef1a9f12e2ec1c6d4821"
aws-cdk/assets:e887bc7ca1693059443036ccb17ccc10f1a203a1ecf4004dc137c111d3c8e919"
aws-cdk/assets:c91fc18db0adf214fc5ca60d9edd90d546b0328f7ebb3fc47251b6aed9eb6ab6"
aws-cdk/assets:a5d71a67cf09b808b3534a73780548dc0613a8a45925098fbc3ebdbb7f46cfab"
...
So I went to ECR to take a look.
But I can’t see a way to differentiate between the 8 DockerImageAssets for different projects that all deploy to the same AWS account using CDK, and I assume it will just keep all the old stuff lying around and growing.
So clearly this isn’t the way to do things:
const dockerfile = path.join(__dirname, '../../')
const dockerImage = new ecrAssets.DockerImageAsset(this, 'frontend', {
directory: dockerfile,
exclude: ['.git', 'cdk.out', 'node_modules'],
buildArgs: {
NEXT_PUBLIC_TAG_MANAGER_URL: props.tagManagerUrl,
},
})
const image = ecs.ContainerImage.fromDockerImageAsset(dockerImage)
Perhaps DockerImageAsset needs to be more aggressive about cleaning up after itself, and also to provide information in ECR so that it’s possible to find out which CDK project it’s related to?
Use Case
Need to find the source of the security issues in the Docker containers without looking into each CDK project build history to find the hash in the CI logs.
Proposed Solution
Also tag the ECR instances with the CloudFormation ID.
Other information
No response
Acknowledge
- I may be able to implement this feature request
- This feature might incur a breaking change
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7 (4 by maintainers)
Top GitHub Comments
Thanks @madeline-k - I’ve put some detailed notes on how I think the overall problem could be resolved into https://github.com/aws/aws-cdk-rfcs/issues/64#issuecomment-1027740674
I’m estimating this as large effort thinking about the overall asset cleanup problem. But there may be smaller effort things we can do just for ECR.