From a4596c070131c543c214e788d8967124a9430690 Mon Sep 17 00:00:00 2001 From: Michael Krieg Date: Wed, 20 Jan 2021 20:58:03 +0100 Subject: [PATCH] scan all ECRs for scan-on-push --- README.md | 1 + controls/99-ecr.rb | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 controls/99-ecr.rb diff --git a/README.md b/README.md index fcfcefb..2ff1e2f 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ Batteries included: * all your S3 Buckets are not public and encrypted (per Region) :white_check_mark: * Organizations :white_check_mark: * all your EBS volumes should be encrypted (per region) :white_check_mark: + * ECR: Test that images are scanned for vulnerabilities at a push to repository ## Usage diff --git a/controls/99-ecr.rb b/controls/99-ecr.rb new file mode 100644 index 0000000..12b1717 --- /dev/null +++ b/controls/99-ecr.rb @@ -0,0 +1,12 @@ +title '99 ECR Scan On Push' + +control 'ecr-repositories-99.3' do + title 'ECR scan on push is activated' + desc 'Test that images are scanned for vulnerabilities at a push to repository' + + aws_ecr_repositories.names.each do |repository_name| + describe aws_ecr_repository(repository_name) do + its('image_scanning_configuration.scan_on_push') { should eq true } + end + end +end