Security Scan

Microtica has a built-in support for scanning container images for vulnerabilities that is executed within your pipelines.

As a result of image scans, Microtica generates scan reports that will automatically appear in the list of pipelines.

Pipeline security scan reports

Each finding is associated with one of the five severity categories: CRITICAL, HIGH, MEDIUM, LOW and INFORMATIONAL.

To analyze the exact findings in details, you can download the reports on your local machine for a specific pipeline step execution from the Artifacts panel.

Download report artifact

Currently, Microtica supports scanning images hosted on Amazon ECR. We are already working on integration with Snyk to enable scanning for other image repositories.

#Scan ECR images using Docker Push step

The easiest way to enable image scan is to use our Docker Push built-in pipeline step which will scan images by default.

Microtica will automatically provide the AWS credentials for the specified registry in the step runtime environment, no extra steps are required.

In the following example the step will build, push and then scan the image for vulnerabilities.

microtica.yaml

steps:
  # ...
  PushDockerImage:
    type: docker-push
    image_name: microtica/my-app
    tag: v0.1.0
    registry: ecr
    scan: true

After executing the step, reports will automatically appear in the portal with number of findings by severity type.

#Manual ECR image scan using generic step

If you are using your custom logic to build and push Docker images you can still scan and get the same level of visibility of security vulnerabilities inside Microtica Portal as using our built-in Docker Push step.

To prepare the step for execution you will need to define a few variables in the pipeline:

  • aws_access_key_id – AWS access key of the account where the image is hosted
  • aws_secret_access_key – AWS secret access key of the account where the image is hosted
  • aws_region – region where the image is hosted
  • image_name – name of the ECR image (e.g. microtica/my-app)
  • tag – the image tag

microtica.yaml

steps:
  # ...
  ScanImage:
    image: "aws/codebuild/standard:4.0"
    commands:
      # Configure AWS credentials
      - aws configure set aws_access_key_id ${aws_access_key_id}
      - aws configure set aws_secret_access_key ${aws_secret_access_key}
      - aws configure set default.region ${aws_region}
      # Create an empty report file
      - touch scan_report.json
      # Start image scan
      - aws ecr start-image-scan --repository-name ${image_name} --image-id imageTag=${tag} || true
      # Wait for image scan to finish
      - aws ecr wait image-scan-complete --repository-name ${image_name} --image-id imageTag=${tag} || true
      # Get and store the reports in scan_report.json
      - aws ecr describe-image-scan-findings --repository-name ${image_name} --image-id imageTag=${tag} | jq --arg aws_region "$aws_region" '.region=$aws_region' > scan_report.json
    artifacts:
      reports:
        ecr_container_scan: scan_report.json

Notice that we have stored our report in scan_report.json file and then defined an artifact with name ecr_container_scan (reserved artifact name) and path to the report file.