feat: add rootfs image scanning notifications #403
Conversation
There was a problem hiding this comment.
It would be nice to have unit testing for the lambda function. Maybe we could look here for inspiration.
ginglis13
force-pushed
the
image-scanning-notifs
branch
2 times, most recently
from
fcac304 to
1c1e332
Compare
Thanks for the ref. For now I've opened #412 to track. Since this isn't critical infrastructure, failure in the lambda itself isn't going to be too painful. I'd argue it would be more valuable to ship this and get information on any vulnerabilities in the rootfs image first, and follow up w/ the test. Additionally... given the project is entirely typescript and this is the first introduction of python, would have to do some thinking on structure / potential reworking this to ts. WDYT? @austinvazquez |
Sounds good to me. Thanks for opening the issue for tracking. |
ginglis13
force-pushed
the
image-scanning-notifs
branch
from
1c1e332 to
e763a37
Compare
Amazon ECR offers Enhanced Image Scanning, which we have enabled for the rootfs image used for Finch on Windows. This change implements a stack to automatically notify Finch developers of scan results when the finding is HIGH or CRITICAL in severity (aka CVE score >= 7.0). An SNS topic is created for the notification, and a Lambda function is wired to EventBridge to listen for events from AWS Inspector of those severities. Signed-off-by: Gavin Inglis <[email protected]>
ginglis13
force-pushed
the
image-scanning-notifs
branch
from
e763a37 to
737b4b0
Compare
Issue #, if available:
Closes #357
Description of changes:
Amazon ECR offers Enhanced Image Scanning, which we have enabled for the rootfs image used for Finch on Windows. This change implements a stack to automatically notify Finch developers of scan results when the finding is HIGH or CRITICAL in severity (aka CVE score >= 7.0).
An SNS topic is created for the notification, and a Lambda function is wired to EventBridge to listen for events from AWS Inspector of those severities.
Testing done:
Manually deployment and verification of notification email. Emails received from
AWS Notifications <[email protected]>. Example text below:License Acceptance
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.