UNPKG

container-image-scanner

Version:

🚨 EMERGENCY Bitnami Migration Scanner - Critical Timeline Aug 28/Sep 29, 2025. Enterprise scanner for 280+ Bitnami images, 118+ Helm charts with emergency migration automation to AWS alternatives.

github.com/sanjeevrg89/container-image-scanner

sanjeevrg89/container-image-scanner

232 lines (185 loc) • 6.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# AWS Security Best Practices Review - Container Image Scanner ## Executive Summary This document outlines the security review and implementation of AWS security best practices for the Container Image Scanner tool. The tool has been reviewed and enhanced to meet enterprise security standards. ## Security Assessment Status: ✅ COMPLIANT ### Key Security Findings 1. **No Data Storage**: Tool operates as a read-only scanner with no persistent data storage 2. **No Hardcoded Credentials**: All AWS authentication uses standard AWS credential chain 3. **Secure Dependencies**: All npm packages are up-to-date with no known vulnerabilities 4. **Proper Error Handling**: Sensitive information is not exposed in error messages ## AWS Security Best Practices Implementation ### 1. Identity and Access Management (IAM) #### ✅ Principle of Least Privilege - Tool requires only read-only permissions - Specific IAM policies defined for minimal required access - No administrative or write permissions needed #### ✅ AWS Credential Management - Uses AWS SDK default credential chain - No hardcoded credentials in source code - Supports IAM roles, profiles, and temporary credentials - Environment variables properly secured in .gitignore #### ✅ Cross-Account Access - Supports AssumeRole for multi-account scanning - Proper role chaining implementation - Session token management ### 2. Data Protection #### ✅ Data in Transit - All AWS API calls use HTTPS/TLS encryption - No sensitive data transmitted over unencrypted channels #### ✅ Data at Rest - No persistent data storage - Temporary scan results stored in memory only - No database or file system persistence #### ✅ Data Classification - Tool only accesses metadata (cluster names, image names) - No access to application data or secrets - No PII or sensitive business data processed ### 3. Network Security #### ✅ API Security - Express.js server with security middleware (helmet) - CORS properly configured - Rate limiting implemented - Input validation on all endpoints #### ✅ Network Isolation - Tool can run in private subnets - No inbound network requirements - Only outbound HTTPS to AWS APIs ### 4. Logging and Monitoring #### ✅ Audit Trail - All AWS API calls logged via CloudTrail (AWS native) - Application logging with structured format - No sensitive data in logs #### ✅ Error Handling - Secure error messages (no credential exposure) - Proper exception handling - Development vs production error verbosity ### 5. Compliance and Governance #### ✅ Open Source License - Apache 2.0 license (enterprise-friendly) - No proprietary dependencies - Clear licensing for all components #### ✅ Dependency Management - Regular security audits via npm audit - Automated dependency updates - No known vulnerabilities in dependencies ## Security Controls Implemented ### Authentication & Authorization ```typescript // AWS SDK automatically handles credential chain: // 1. Environment variables // 2. IAM roles (EC2/ECS/Lambda) // 3. AWS profiles // 4. IAM Identity Center (SSO) ``` ### Input Validation ```typescript // All user inputs validated if (!regions || regions.length === 0) { return res.status(400).json({ error: 'At least one region is required' }); } ``` ### Security Headers ```typescript // Helmet.js security middleware app.use(helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'"], imgSrc: ["'self'", "data:", "https:"] } } })); ``` ### Rate Limiting ```typescript // Express rate limiting app.use(rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // limit each IP to 100 requests per windowMs })); ``` ## Required IAM Permissions ### Minimal Read-Only Policy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:ListClusters", "eks:DescribeCluster", "organizations:ListAccounts", "organizations:DescribeOrganization", "sts:GetCallerIdentity", "sts:AssumeRole" ], "Resource": "*" } ] } ``` ### Cross-Account Role Policy ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::SCANNER-ACCOUNT:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "container-image-scanner" } } } ] } ``` ## Security Recommendations ### 1. Deployment Security - Deploy in private subnets with NAT Gateway for AWS API access - Use VPC endpoints for AWS services where available - Implement network ACLs for additional security ### 2. Runtime Security - Run with non-root user in containers - Use read-only file systems where possible - Implement resource limits (CPU/memory) ### 3. Monitoring & Alerting - Monitor CloudTrail for API usage patterns - Set up alerts for unusual access patterns - Implement AWS Config rules for compliance ### 4. Regular Security Maintenance - Monthly dependency security audits - Quarterly security reviews - Annual penetration testing ## Compliance Certifications ### SOC 2 Type II Ready - Access controls implemented - Audit logging in place - Data protection measures active ### ISO 27001 Aligned - Information security management - Risk assessment procedures - Incident response planning ### AWS Well-Architected Framework - Security pillar compliance - Reliability best practices - Performance optimization ## Security Contact For security issues or questions: - Email: security@container-scanner.com - Security Advisory: GitHub Security Advisories - Response Time: 24 hours for critical issues ## Conclusion The Container Image Scanner has been designed and implemented following AWS security best practices. The tool operates with minimal privileges, implements defense-in-depth security controls, and maintains a strong security posture suitable for enterprise environments. **Security Status: ✅ APPROVED FOR ENTERPRISE USE** --- *Last Updated: August 22, 2025* *Security Review Version: 1.0* *Next Review Date: February 22, 2026*