Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core: ContainerAssetsRepository fails security controls from cdk bootstrap #25966

Closed
gricey432 opened this issue Jun 14, 2023 · 5 comments
Closed
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI

Comments

@gricey432
Copy link

Describe the bug

The ECR repository made during bootstrap doesn't have image scanning enabled [1]. This causes SecurityHub to mark it as failing ECR.1 [2]

[1] https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L234

[2] https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-1

Expected Behavior

SecurityHub doesn't find issues

Current Behavior

SecurityHub finds issues

Reproduction Steps

Bootstrap an account with SecurityHub enabled. You don't seem to need to push anything to the repository (mine is empty).

Possible Solution

The AWS::ECR::Repository should gain ImageScanningConfiguration. I believe basic image scanning is free

Additional Information/Context

No response

CDK CLI Version

2.81.0 (build bd920f2)

Framework Version

No response

Node.js Version

v16.10.0

OS

Windows 11

Language

Typescript

Language Version

No response

Other information

No response

@gricey432 gricey432 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 14, 2023
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jun 14, 2023
@pahud
Copy link
Contributor

pahud commented Jun 14, 2023

Yes it makes sense! Making it p1 feature request.

@pahud pahud added p1 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 14, 2023
@pahud pahud changed the title bootstrap: ContainerAssetsRepository fails security controls core: ContainerAssetsRepository fails security controls from cdk bootstrap Jun 14, 2023
@pahud
Copy link
Contributor

pahud commented Jun 15, 2023

Hi

We used to have this feature but removed it. Please check this PR description:
#21342

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed bug This issue is a bug. labels Jun 15, 2023
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 17, 2023
@gricey432
Copy link
Author

Commenting to keep this alive until I return from leave.

I think the linked PR is the right move, I just want to confirm one detail

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jun 18, 2023
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

No branches or pull requests

2 participants