pmh_only/bp-check
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add feature: ECR bp check

Browse Source
This commit is contained in:
Juwon 2024-08-06 13:07:28 +09:00 committed by skyuecx0630
parent fb5f1fc3ca
commit 9449cac446
1 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
services/ecr.py
View File

@ -1,29 +1,82 @@
from models import RuleCheckResult from models import RuleCheckResult
import boto3 import boto3
import botocore
# client = boto3.client("") client = boto3.client("ecr")
def ecr_private_image_scanning_enabled(): def ecr_private_image_scanning_enabled():
repositories = client.describe_repositories()
compliant_resource = []
non_compliant_resources = []
for repository in repositories["repositories"]:
if repository["imageScanningConfiguration"]["scanOnPush"] == True:
compliant_resource.append(repository["repositoryArn"])
else:
non_compliant_resources.append(repository["repositoryArn"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
) )
def ecr_private_lifecycle_policy_configured(): def ecr_private_lifecycle_policy_configured():
repositories = client.describe_repositories()
compliant_resource = []
non_compliant_resources = []
for repository in repositories["repositories"]:
try:
response = client.get_lifecycle_policy(
registryId=repository["registryId"],
repositoryName=repository["repositoryName"],
)
compliant_resource.append(repository["repositoryArn"])
except botocore.errorfactory.LifecyclePolicyNotFoundException:
non_compliant_resources.append(repository["repositoryArn"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
) )
def ecr_private_tag_immutability_enabled(): def ecr_private_tag_immutability_enabled():
repositories = client.describe_repositories()
compliant_resource = []
non_compliant_resources = []
for repository in repositories["repositories"]:
if repository["imageTagMutability"] == "IMMUTABLE":
compliant_resource.append(repository["repositoryArn"])
else:
non_compliant_resources.append(repository["repositoryArn"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
) )
def ecr_kms_encryption_1(): def ecr_kms_encryption_1():
repositories = client.describe_repositories()
compliant_resource = []
non_compliant_resources = []
for repository in repositories["repositories"]:
if repository["encryptionConfiguration"]["encryptionType"] == "KMS":
compliant_resource.append(repository["repositoryArn"])
else:
non_compliant_resources.append(repository["repositoryArn"])
return RuleCheckResult( return RuleCheckResult(
passed=False, compliant_resources=[], non_compliant_resources=[] passed=not non_compliant_resources,
compliant_resources=compliant_resource,
non_compliant_resources=non_compliant_resources,
) )