Table of Contents |
---|
Overview
This page provides instructions on how to integrate Amazon ECR with the Unified Agent to be able to scan Docker Images.
Prerequisites
- It is assumed that you have an authorized account to Amazon ECR and can pull images from Amazon ECR.
- You have Amazon AWS CLI installed.
- You have Docker installed.
- Unified Agent will scan the images on your local host (after these have been pulled from Amazon ECR).
- Unified Agent requires to download a JAR file and a configuration file. You can download them manually or by using the steps described below.
Downloading the Unified Agent and Configuration File
Info | ||
---|---|---|
| ||
It is advised to use the below commands only once a week to download the latest version of the Unified Agent for performance reasons and not as part of every build. You can do this using a scheduler task, such as cron. |
Use the following options to download the latest version of the WhiteSource Unified Agent JAR file and configuration file to your local host.
...
Run the following commands:
Code Block | ||||
---|---|---|---|---|
| ||||
curl -LJO "https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar"
curl -LJO "https://github.com/whitesource/unified-agent-distribution/raw/master/standAlone/wss-unified-agent.config" |
...
Run the following commands:
Code Block | ||||
---|---|---|---|---|
| ||||
powershell bitsadmin /transfer mydownload /dynamic /download /priority FOREGROUND https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar $pwd\wss-unified-agent.jar
powershell bitsadmin /transfer mydownload /dynamic /download /priority FOREGROUND https://github.com/whitesource/unified-agent-distribution/raw/master/standAlone/wss-unified-agent.config $pwd\wss-unified-agent.config |
Note |
---|
Make sure that Background Intelligent Transfer Service (BITS) is enabled if you want to use PowerShell on Windows. |
...
Linux/Unix
Run the following commands from the Linux/Unix bash prompt :
Code Block | ||||
---|---|---|---|---|
| ||||
curl -LJO "https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar"
curl -LJO "https://github.com/whitesource/unified-agent-distribution/raw/master/standAlone/wss-unified-agent.config" |
Update Configuration File
Update the configuration file (wss-unified-agent.config) that you downloaded in step 2 according to your specific requirements.
Enable the relevant lines by removing the '#' symbol at the beginning of the lines.
Example of values for uncommented lines:
Code Block | ||
---|---|---|
| ||
docker.includes=.*alpine.*
docker.excludes=.*2017.10.01.* .*2017.06.01.*
docker.scanImages=true
docker.pull.enable=false
docker.pull.images=.*.*
docker.pull.tags=.*.*
docker.pull.digest=.*.*
docker.delete.force=false
docker.aws.enable=false
docker.aws.registryIds=XXXXXXXXXXXX
docker.pull.maxImages=10
docker.login.sudo=true |
...
...
...
...
...
The Registry IDs list on Amazon Web Services (the AWS 12-digit account IDs that correspond to the Amazon ECR registries). The list must include the following:
- Full registry IDs and no GLOB patterns.
- At least one registry ID. Values are space-delimited.
NOTE: Required if docker.aws.enable=true.
...
Running the Unified Agent
Run the Unified Agent with the modified configuration file via this command:
Code Block | ||
---|---|---|
| ||
java -jar wss-unified-agent.jar -apiKey xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx -c wss-unified-agent.config |
Scanning Information
The scanner saves your required images and scans all the file system and installed packages.
It scans all the image layers, and handles archive files in the layers based on the value in the property 'archiveExtractionDepth'.
The Docker image is saved to the temporary directory defined in your environment, and is deleted immediately after the scan.
The scanning results are presented in a new WhiteSource project identified by the name of the image in the following format: <image id> <repository> <tag>.
The project is created in the WhiteSource product specified in the configuration file or command line.
(Optional) Performing Manual Scanning of Images (instead of using ECR automated image pulling):
Pull Docker Images From Amazon ECR Before Scanning
You need to pull the Docker images that you want to scan. Pull the images from Amazon ECR using Docker's command:
Code Block | ||||
---|---|---|---|---|
| ||||
docker pull {aws_account_id}.dkr.ecr.{region}.amazonaws.com/{image}:{tag} |
...
docker pull {
aws_account_id}
.dkr.ecr.us-west-2.amazonaws.com/amazonlinux:latest
docker pull {
aws_account_id}
.dkr.ecr.us-east-1.amazonaws.com/ubuntu:trusty
For more information, refer to the following Amazon website links:
...
is available at: https://docs.mend.io/bundle/unified_agent/page/amazon_elastic_container_registry__ecr__-_docker_integration.html