JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 204
  • Score
    100M100P100Q96395F
  • License Apache-2.0

Scan container images with Trivy in CDK deployment

Package Exports

  • image-scanner-with-trivy
  • image-scanner-with-trivy/lib/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (image-scanner-with-trivy) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

image-scanner-with-trivy

Detail Pages

The detail blog is here.

To my surprise, this library was featured on the ecosystem page of Trivy's official documentation!

What is

This is an AWS CDK Construct that allows you to scan container images with Trivy in CDK deployment layer.

If it detects vulnerabilities, it can prevent the image from being pushed to the ECR for the application.

Since it takes an imageUri for ECR as an argument, it can also be used to simply scan an existing image in the repository.

Trivy

Trivy is a comprehensive and versatile security scanner.

Usage

  • Install
npm install image-scanner-with-trivy
  • CDK Code
import { ImageScannerWithTrivy, ScanLogsOutput } from 'image-scanner-with-trivy';

const repository = new Repository(this, 'ImageRepository', {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteImages: true,
});

const image = new DockerImageAsset(this, 'DockerImage', {
  directory: resolve(__dirname, './'),
});

// Add properties you want for trivy options (ignoreUnfixed, severity, scanners, trivyIgnore, etc).
const imageScanner = new ImageScannerWithTrivy(this, 'ImageScannerWithTrivy', {
  imageUri: image.imageUri,
  repository: image.repository,
  // If you output the scan logs to other than the default log group, you can specify this option.
  scanLogsOutput: ScanLogsOutput.cloudWatchLogs({ logGroup: new LogGroup(this, 'LogGroup') }),
});

// By adding `addDependency`, if the vulnerabilities are detected by `ImageScannerWithTrivy`, the following `ECRDeployment` will not be executed, deployment will fail.
const ecrDeployment = new ECRDeployment(this, 'DeployImage', {
  src: new DockerImageName(image.imageUri),
  dest: new DockerImageName(`${repository.repositoryUri}:latest`),
});
ecrDeployment.node.addDependency(imageScanner);

API Reference

API Reference is here.