Pull the information from AWS ECR

We have a requirement where we need octopus to perform below:

  1. Docker Images within an ECR will be scanned.
  2. Octopus needs to integrate with ECR to understand whether docker images are vulnerable.
  3. Based upon the results perform next tasks.

How can this be achieved?


Hi Rahul,

Thanks for reaching out.

ECR imposes certain limitations on how often a scan can be performed:

An image scan can only be started once per 24 hours on an individual image. This limit includes if an image was scanned on initial push.

So probably best to automate the scanning separately from the other steps to avoid running into the LimitExceededException. Within Octopus this can probably be done using a runbook and a scheduled trigger that fires e.g. every 25h. But this can be done in any way and using any tool that’s easy for you.

Once the scanning is in place, one way to achieve what you’re describing is to create a step with your preferred client library or simply using scripting, to make a DescribeImageScanFindings request to the ECR endpoint which will return detailed scan results that you can then parse to determine whether you want to continue.

Here you have a few options. If you just want to terminate the whole process, you could simply throw an error so the entire process fails. Makes it nice and visible. Alternatively, you could set an output variable to be used as a run condition for subsequent steps. Just keep in mind that a (partly) skipped deployment is still a successful deployment which might not be obvious steps have been skipped.

But these are the building blocks I’d start with.

Hope that helps!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.