FutureVuls > English > Manual > Choices and features of scan methods > Docker Scan (ECR/GAR)

Docker Scan (ECR/GAR)

You can scan container images by specifying the container image name. Currently, it supports AWS and GCP DockerRegistry.

As of June 2022, trivy integration is recommended for vulnerability scanning of container images in terms of detection accuracy and performance, rather than ECR/GAR integration.

Target container images

Amazon ECR (AWS external integration required)
Google Cloud Artifact Registry (GCP external integration required)

Scan frequency

Container image scanning is performed around 2:00 or 18:00 am JST every morning. You can also manually scan from the server detail screen.

Amazon ECR scan

To scan ECR, you need to set up AWS authentication information in advance.
Register AWS authentication information in external integration AWS authentication settings.

If the Amazon ECR image scan setting is enhanced scan, updates to existing AWS authentication settings may be required. Refer to Policy used by FutureVuls and add inspector2:ListCoverage and inspector2:ListFindings as Action to FutureVulsAssumeRole IAM Policy.

Only vulnerabilities with a status of ACTIVE in Amazon ECR scan results are linked to FutureVuls (SUPPRESSED and CLOSED are not linked).

AWS settings

Register DockerImage in ECR.
Select the DockerImage and click Edit.
Set it to automatically execute a scan when pushed.
If you want to scan a DockerImgae that has already been pushed, select the image individually and scan it.

Registering images on FutureVuls

After completing the settings in ECR, register the container image on FutureVuls.

From the server > Add server > Container registry integration, register the container image you want to scan.

Executing scan

When the image registration is complete, the “Manual scan” button will be displayed on the server detail tab. When the scan is executed, vulnerabilities and tasks are created in the same way as with a normal server.

GCP GAR scan

To scan images registered in Google Cloud Artifact Registry, you need to set up GCP authentication credentials in advance.
Register GCP authentication credentials in Integration with external services - GCP authentication settings.

Configuration on GCP

Enable vulnerability scanning in the GAR settings.
Register the Docker image with GCP.
To scan a Docker image that has already been pushed, select the image individually and scan it.

Image registration on FutureVuls

After setting up GAR, register the container image on FutureVuls.

Add the container registry from Server > Add Server > Container Registry Link to register the container image to be scanned.

Performing the scan

When image registration is complete, the “Manual scan” button will appear in the server’s detailed tab. When the scan is performed, vulnerabilities and tasks will be created just like with a regular server.