AWS ECR Integration

Ensure your service's images are free of known vulnerabilities.

Add a AWS ECR Integration

  1. In the OpsLevel app, Click Integrations in the left sidebar.
  2. Click on the + New Integration button.
  3. Click the AWS ECR tile to add the integration.

Create a Check

1. Navigate to the Rubrics sub menu under the Service Health menu in OpsLevel

2. Hover over the cell that corresponds to the level and category you want your check to live in and click the + Add Check button.

3. Create a Custom Event check

4. Select the AWS ECR integration you created from the Integration dropdown

5. Choose one of the Check Templates from the dropdown.

Check Template

Here is what each template is for:

  • Check For Critical Vulnerabilities: Any service with container images stored in ECR that have critical vulnerabilities or if the scan failed will fail this check.
  • Check For High Vulnerabilities: Any service with container images stored in ECR that have vulnerabilities that are high or critical will fail this check. The check will also fail if the scan failed.
  • Check For Medium Vulnerabilities: Any service with container images stored in ECR that have vulnerabilities that are medium severity or higher will fail this check. The check will also fail if the scan failed.
  • Check For Low Vulnerabilities: Any service with container images stored in ECR that have vulnerabilities that are low severity or higher will fail this check. The check will also fail if the scan failed.

6. We will populate the Service Specifier field, which we use to determine what service to run the check for, and the Success Condition field, which we use to determine if the check should pass or fail. We also provide a sample payload to test the check.

Service Specifier and Success Condition

Setup using AWS EventBridge

Use the Webhook URL above to create an AWS EventBridge rule for ECR scan results. If your container name matches your service name, you’re done! If not, add an alias to your service in OpsLevel.

  1. Log into AWS Console - EventBridge and click Create Rule
  2. Fill in name, desription, etc.
  3. Under pattern, select Event pattern
  4. Select Pre-defined pattern by service
  5. Select service provider AWS, service name Elastic Container Registry (ECR), and event type ECR Image Scan
  6. Leave the default event bus selected and enabled
  7. Select API Destination as the target
  8. Select Create a new API destination

9. Set name and description. Copy-and-paste the Webhook URL on the integration’s page in OpsLevel into API destination endpoint

Webhook URL

10. Select POST as the HTTP method

11. Under connection select Create a new connection

12. Set name and description. Select API Key as the authorization type

13. Set both key and value to “opslevel”. These values are unused but are required by EventBridge

14. Finally, click create.

Read Getting Started with AWS EventBridge and external APIs with EventBridge to learn more.