Skip to main content

aws_ecr_images Resource

Use the aws_ecr_images InSpec audit resource to test the properties of all images in an AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.

Install

This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.

Syntax

An aws_ecr_images resource block declares the tests for all images in an AWS ECR repository by the repository name.

describe aws_ecr_images(repository_name: 'my-repo') do
  it { should exist }
end

Parameters

The repository name must be provided. The ID of the registry is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.
registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.

Properties

digests
The sha256 digest of the image manifest.

Field: digest

size_in_bytes
The size, in bytes, of the image in the repository.

Field: digest

tags
The list of tags associated with an image.

Field: tags

vulnerability_severity_counts
The image vulnerability counts, sorted by severity.

Field: tags

vulnerability_scan_status
The current state of the scan. It returns an image scan status object.

Field: tags

pushed_at_dates
The date and time at which an image was pushed to the repository.

Field: pushed_at_date

Examples

Ensure that there are exactly 3 images.

describe aws_ecr_images(repository_name: 'my-repo') do
  its('count') { should cmp 3 }
end

Use this InSpec resource to request the digests of all images, then test in-depth using aws_ecr_image.

aws_ecr_images(repository_name: 'my-repo').digests.each do |image_digest|
  describe aws_ecr_image(repository_name: 'my-repo', image_digest: image_digest) do
    its('tags') { should include('latest') }
  end
end

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_ecr_images(repository_name: 'my-repo').where( <property>: <value>) do
  it { should exist }
end
describe aws_ecr_images(repository_name: 'my-repo').where( <property>: <value>) do
  it { should_not exist }
end

AWS Permissions

Your Principal will need the ECR:Client:DescribeImagesResponse action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

Edit this page on GitHub

Thank you for your feedback!

×









Search Results