Topics

Dropdown Icon

Topics

Dropdown Icon

Search Results

Getting started

Introduction

Tutorials

Preparing An Application
Deploying an Application
Local Development

Installation

Command Line Interface
Development Rack Dropdown Icon
Production Rack Dropdown Icon

Configuration

convox.yml
Dockerfile
Agents
Environment Variables
Health Checks
Load Balancers
Logging
Private Registries
Service Discovery
Rack-to-Rack Communication
Rack Parameters Dropdown Icon Amazon Web Services Dropdown Icon
access_log_retention_in_days
additional_build_groups_config
additional_node_groups_config
availability_zones
build_disable_convox_resolver
build_node_enabled
build_node_min_count
build_node_type
cert_duration
cidr
convox_domain_tls_cert_disable
ecr_scan_on_push_enable
efs_csi_driver_enable
fluentd_disable
gpu_tag_enable
high_availability
idle_timeout
imds_http_tokens
internal_router
internet_gateway_id
kubelet_registry_burst
kubelet_registry_pull_qps and kubelet_registry_burst
kubelet_registry_pull_qps
max_on_demand_count
min_on_demand_count
nlb_security_group
node_capacity_type
node_disk
node_type
pdb_default_min_available_percentage
pod_identity_agent_enable
private
private_subnets_ids
proxy_protocol
public_subnets_ids
schedule_rack_scale_down
schedule_rack_scale_up
ssl_ciphers
ssl_protocols
syslog
tags
user_data_url
user_data
vpc_id
Google Cloud Platform Dropdown Icon
Microsoft Azure Dropdown Icon
Digital Ocean Dropdown Icon
App Parameters Dropdown Icon
Volumes
Workload Placement

Deployment

Custom Domains
Deploying Changes
Rollbacks
Rolling Updates
Scaling
SSL

Management

CLI Rack Management
Console Rack Management
Console RBAC
Deploy Keys
Direct Kubernetes Access
One-off Commands

Reference

Command Line Interface Dropdown Icon
Primitives Dropdown Icon
Quick-Apps Dropdown Icon

Integrations

Monitoring Dropdown Icon

Help

Changes
Known Issues
Support
Troubleshooting
Upgrading
Switch to Version 2 Documentation

ecr_scan_on_push_enable

Description

The ecr_scan_on_push_enable parameter enables or disables the image scan feature for images pushed to an Amazon ECR repository. When enabled, each image pushed to the repository is automatically scanned for vulnerabilities.

This feature leverages Amazon ECR’s native scanning capability, which identifies software vulnerabilities in your container images. After the scan completes, you can retrieve the scan results through the AWS Management Console or AWS CLI.

Default Value

The default value for ecr_scan_on_push_enable is false.

Use Cases

  • Security Compliance: Automatically scan images for vulnerabilities upon pushing to the ECR repository, ensuring compliance with security policies.
  • Early Detection: Detect potential security issues in container images early in the development process.
  • Vulnerability Management: Identify and address vulnerabilities in your container images before deployment.
  • DevSecOps Integration: Incorporate security scanning into your CI/CD pipeline.

Setting Parameters

To enable automatic image scanning on push to ECR, use the following command:

$ convox rack params set ecr_scan_on_push_enable=true -r rackName
Setting parameters... OK

When installing a new rack, you can include this parameter:

$ convox rack install aws rackName ecr_scan_on_push_enable=true

To verify the parameter is set correctly:

$ convox rack params -r rackName

Additional Information

  • When ecr_scan_on_push_enable is set to true, each image push to the ECR repository will trigger an automatic scan.
  • Scan results are available through the AWS Management Console or AWS CLI.
  • To view scan results via AWS CLI: 
    $ aws ecr describe-image-scan-findings --repository-name your-repository-name --image-id imageTag=your-image-tag
  • ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to identify vulnerabilities.
  • Scan results include details about identified vulnerabilities, including severity levels, descriptions, and CVE IDs.
  • ECR image scanning helps identify vulnerabilities but does not automatically remediate them. Review scan results and take appropriate action based on your security requirements.
  • There are no additional AWS charges for using ECR scan on push, but standard ECR usage costs apply.
  • Only images pushed after enabling this feature will be automatically scanned. Existing images can be scanned manually through the AWS console or CLI.

Version Requirements

This feature requires at least Convox rack version 3.18.7.

Find
Home Product Pricing Enterprise Blog Documentation
Follow
LinkedIn X GitHub
Chat
sales@convox.com
© Convox 2024 / A Curious Company
Privacy Policy Terms of Use