Until now, Anchore’s primary runtime focus has been enabling deep vulnerability analysis through the generation of Software Bill of Materials (SBOMs) for images that are built and deployed in Kubernetes. Kubernetes is one of the most widely used container orchestration platforms in the industry, but Anchore has recognized that there are other platforms that our customers are using.

Amazon Elastic Container Service (ECS) is another powerful container orchestration platform that, until now, was limited in its API functionality to allow container scanning outside of the AWS ecosystem. Before this major update to Anchore Enterprise 4.8, those who were using ECS for their runtime environment were unable to perform vulnerability analysis for the images unless they were hosted in Amazon Elastic Container Registry (ECR).

Now that the proper updates have been implemented by AWS to their API, users can gather their inventory of images in use from ECS and run vulnerability scans via our new anchore-ecs-inventory agent (downloadable here) for any registry.

Explore the code more in-depth here.

How to Deploy

`anchore-ecs-inventory` just like `anchore-k8s-inventory` can be deployed via a helm chart into any kubernetes environment with access to AWS and your Anchore deployment. You can install the chart via:

helm repo add anchore https://charts.anchore.io

helm install ecs-inventory anchore/ecs-inventory

An example of values.yaml can be found here.

The ECS runtime agent gathers data via the AWS API so there is no need for it to be collocated with your runtime environment. However, should you want to have the agent run directly on ECS and report back to Anchore Enterprise, we have an example task definition in our documentation that can be used in the docs here.

Subscribe to Watch ECS Inventory to Auto Analyze

It's possible to create a subscription to watch for new ECS Inventory that is reported to Anchore and automatically schedule those images for analysis. A subscription can be created by sending a POST to /v1/subscriptions with the following payload:

{

  "subscription_key": "<SUBSCRIPTION_KEY>",

  "subscription_type": "runtime_inventory"

}

Curl example:

curl -X POST -u USERNAME:PASSWORD --url ANCHORE_URL/v1/subscriptions --header 'Content-Type: application/json' --data '{

  "subscription_key": "arn:aws:ecs:eu-west-2:123456789012:cluster/myclustername",

  "subscription_type": "runtime_inventory"

}'

The subscription_key can be set to any part of an ECS ClusterARN. For example, setting the subscription_key to the:

  • full ClusterARN arn:aws:ecs:us-east-1:012345678910:cluster/telemetry will create a subscription that only watches this cluster

partial ClusterARN arn:aws:ecs:eu-west-2:988505687240 will result in a subscription that watches every cluster within the account 988505687240

After a subscription has been created it needs to be activated. This can be achieved with anchorectl.

anchorectl subscription activate <SUBSCRIPTION_KEY> runtime_inventory

To verify that you are tracking ECS Inventory you can access inventory results with the command anchorectl inventory list and look for results where the TYPE is ecs.

Reporting

If you navigate to the Reportings tab in the Anchore Enterprise UI, you will now be able to see the new “Vulnerabilities by ECS Container” report under the Templates section.

Once selected, you will be able to adjust the specific filters and criteria you want to set for your report.

After saving your template, you will be able to query the template and generate a report.

We hope this post provides you with the insights needed to get started with conducting vulnerability analysis in your ECS runtime environment.