Skip to content

Docker Scan (ECR/GAR)#

You can perform a container image scan by specifying the container's image name. This feature currently supports AWS ECR and GCP Artifact Registry.

To use Amazon ECR, you need to configure the AWS external integration. For information on supported scan targets, please refer to Supported Environments.

Additionally, to use GCP Artifact Registry, you need to configure the GCP external integration.

Scanning Amazon ECR#

To scan ECR, you must first configure your AWS credentials. Please refer to External Integration: AWS Authentication Settings to register your AWS credentials.

Required IAM Policy

If your Amazon ECR image scanning is set to Enhanced scanning and you configured AWS authentication before the March 29, 2023 release, an update is required. Refer to Policies Used by FutureVuls and add inspector2:ListCoverage and inspector2:ListFindings as Actions to the FutureVulsAssumeRole IAM Policy.

Integrated Scan Results

For Amazon ECR scan results, only vulnerabilities with a status of ACTIVE are integrated into FutureVuls (vulnerabilities with SUPPRESSED or CLOSED status are not integrated).

Configuration in AWS#

First, register your Docker image in ECR. Select the Docker Image and click Edit.

image

Configure the settings to automatically run a scan on push.

image

To scan a Docker image that has already been pushed, select the individual image and scan it.

image

(Optional) Enhanced Scanning Configuration#

For accurate and comprehensive vulnerability detection, FutureVuls recommends using Enhanced scanning with Amazon Inspector.

Scanning Configuration

Using enhanced scanning provides the following benefits compared to basic scanning:

  • Continuous scanning: Images are automatically rescanned when new vulnerabilities are discovered, even without pushing the image.
  • Up-to-date vulnerability information: Detection results are always based on the latest vulnerability database.
  • Application library detection: Detects vulnerabilities in application libraries in addition to the OS.
  • Unified management: Centrally manage EC2, Lambda, and ECR using Inspector2.
  • SBOM Export Integration: By integrating with Inspector2's SBOM Export feature, you can also visualize your software composition.

For more details on enhanced scanning, please refer to the AWS Official Documentation: Scanning images to find vulnerabilities in OS and programming language packages with Amazon ECR and other resources.

(Optional) Import Amazon Inspector SBOM#

By using the Amazon Inspector SBOM Export feature, you can comprehensively identify OS packages and application libraries within ECR images, regardless of whether vulnerabilities are present. This enables software supply chain risk management, such as EOL and license management.

For details, please refer to Import Amazon Inspector SBOM.

Registering Images in FutureVuls#

After completing the configuration in ECR, register the container image in FutureVuls.

  • From Server > Add Server > Integrate with Container Registry (ECR), a list of repositories associated with the group's credentials is displayed.
  • After selecting the repository(s) you want to register, choose whether to use the latest tag for each repository. If you choose not to use the latest tag, enter the tag name.

ECR Add Button

ECR Registration Screen

Running a Scan#

  • Once the image registration is complete, a "Manual Scan" button will appear on the server's details tab.
  • When the scan is executed, vulnerabilities and tasks are created just like for a regular server.
  • If you have configured Import Amazon Inspector SBOM, refer to this guide for the SBOM import procedure.

FutureVuls Detection Flow and Troubleshooting

Detection Flow

Vulnerability detection for ECR images is performed in the following order:

  1. Enhanced Scanning (Inspector2 Enhanced Scanning) is used preferentially (to acquire the latest vulnerability information via continuous scanning).
  2. If results cannot be obtained with Inspector2, it falls back to Basic Scanning (ECR Basic Scanning).
  3. If results cannot be obtained with either method, an error occurs.

Troubleshooting

If vulnerabilities are not detected, please check the following:

  • Repository Name: Confirm that the repository name registered in FutureVuls is correct.
  • Scan Setting Activation: Ensure that either Enhanced Scanning (Inspector2 Enhanced Scanning) or Basic Scanning (ECR Basic Scanning) is enabled.
  • IAM Permissions: Verify that the AWS credentials registered in FutureVuls have the following permissions.

    • For Basic Scanning: ecr:DescribeImageScanFindings
    • For Enhanced Scanning: inspector2:ListFindings
  • Scan Eligibility Period: Inspector2 automatically excludes images from scanning (SCAN_ELIGIBILITY_EXPIRED) after a certain period has passed since they were pushed.

    • Check with AWS CLI: aws inspector2 list-coverage --filter-criteria '{"resourceType":[{"comparison":"EQUALS","value":"AWS_ECR_CONTAINER_IMAGE"}],"ecrRepositoryName":[{"comparison":"EQUALS","value":"<repository_name>"}]}' --query 'coveredResources[*].{status:scanStatus.statusCode,reason:scanStatus.reason}'

Scanning GCP GAR#

To scan an image registered in GCP Artifact Registry, you must first configure your GCP credentials. Please refer to External Integration: GCP Authentication Settings to register your GCP credentials.

Guidance on Migrating from Container Registry

With the end of support for GCP's Container Registry, FutureVuls has discontinued support for Container Registry images. We recommend migrating to Artifact Registry. For details, please refer to the official announcement from Google Cloud.

Configuration in GCP#

In the Artifact Registry settings, enable vulnerability scanning.

Enable Scanning

Create a repository with the Docker format.

Register Repository

Register the image you want to scan in the created repository. Setup is complete once Container Analysis detects vulnerabilities, as shown below (the initial detection may take some time).

Register Image

Registering Images in FutureVuls#

After completing the configuration in Artifact Registry, register the container image in FutureVuls. To begin this operation, you must first complete the GCP Integration Setup in the group settings.

  • Select Server > Add Server > Integrate with Container Registry

    Select Container Registry Integration

  • Select the image(s) you want to register

    • If you check "Use Latest Tag," the image with the most recent update time will be scanned.
    • If you uncheck "Use Latest Tag" and specify a tag, the image with the specified tag name will always be scanned.

    Select Container Registry Integration

Running a Scan#

Once the image registration is complete, a "Manual Scan" button will appear on the server's details tab. When the scan is executed, vulnerabilities and tasks are created just like for a regular server.