Amazon ECR Integration
This integration enables the Amazon Elastic Container Registry (ECR) to automatically trigger an event or action every time a new container is pushed into the registry.
Sysdig offers two different operational modes for this integration: inline or backend scanning.
The final goal of integration is the same:
Images are scanned and evaluated against your Sysdig Secure image scanning policies
The image scanning report and evaluation is available in Sysdig Secure
Planning: Inline vs. Backend Scanning
Consider the following points when deciding which option to choose.
With Inline Scanning Mode:
Images will be scanned directly in an AWS pipeline, sending just the required metadata to perform the policy evaluation to the Sysdig backend.
No need to configure any registry credentials for Sysdig Secure
No need to expose your ECR registry to the Sysdig Secure backend
Sysdig Secure will not retrieve the image contents, only the metadata that is required to perform the policy evaluation
Scanning will be performed inside the CodeBuild pipeline allocating ephemeral resources
With Backend Scanning Mode:
The image reference is sent to the Sysdig backend, which will then pull the image and perform the scan.
Your ECR registry must be reachable by the Sysdig Secure backend
Registry credentials are required, but they are pushed automatically by the lambda function, no need for manual configuration
Sysdig Secure will retrieve the full image contents in order to perform the scan
Prerequisites
Amazon ECR registry that is used to push the images you want to scan
Sysdig Secure account and the associated API token
IAM permissions to create an EventBridge rule
For inline scanning: IAM permissions to create a CodeBuild project
For backend scanning
IAM permission to create a lambda function
ECR registry must be accessible from the Sysdig Secure backend
Deploy the Integration
Log into your AWS account and launch the following CloudFormation template,
Ensure you are deploying in the desired AWS region, and click Next.
Configure the primary integration parameters.
Stack name: Defaults to ECRImageScanning. You can use any name you wish.
ScanningType: Defaults to inline. Choose Backend if desired.
SysdigSecureAPIToken: You can retrieve this token by accessing your Sysdig Secure account> Settings.
SysdigSecureEndpoint: The backend used to perform the policy evaluation. Defaults to the Sysdig Secure SaaS endpoint.
Click Next.
Check the configuration options and edit them if necessary.
You will be presented with the default configuration options associated with the creation of a new AWS CloudFormation stack: tags, permissions, stack policy, etc. For the default case, no modifications are required for the integration to work. Adjust to your organization policies as needed.
Finalize resource creation.
Review the parameters and check the I acknowledge... box for resource creation.
Click Create Stack.
Confirm successful completion.
As soon as the CloudFormation stack is marked CREATE_COMPLETE, the integration is finalized.
Any image you push to the ECR registries in this AWS region will be automatically scanned
Image scanning results will be available in Sysdig Secure a few minutes after the push