iTranslated by AI
Customizing Amazon Inspector2 Scan Notifications for Slack
Hello everyone.
How are you doing?
I am Ryo Yoshii, a developer who strongly believes that "No human labor is no human error."
I have been using ECR Enhanced Scanning.
This is a measure to prevent vulnerabilities from being included in containers running on ECS, regardless of the execution environment.
I will skip the details of ECR Enhanced Scanning as it is not the main topic of this entry, but in my experience during pilot operation, it seems to detect vulnerabilities quite reliably.
Scan images for OS and programming language package vulnerabilities in Amazon ECR
Operating systems and programming languages that Amazon Inspector supports
Slack Notifications for Inspector2 Scan
Checking scan results in the Management Console every time is tedious. I decided to set up Slack notifications for the summary of scan results.
Tutorial: Get started with Slack
However, there was a slight problem. With the default settings, while I know a scan was performed, it is unclear what the results actually are.
It seems that some services are formatted nicely by Chatbot, while others are not.
Customizing Notifications
Let's customize the Slack notifications to our liking.
For customization, we use EventBridge input transformers.
Custom notifications
The minimum necessary information seems to be just the following items.
As shown in the example below, you can use Slack formatting. With some effort, you should be able to create more readable notifications.
{
"version": "1.0",
"source": "custom",
"content": {
"description": ":warning: EC2 auto scaling refresh failed for ASG *OrderProcessorServiceASG*! \ncc: @SRE-Team"
}
}
Setting up the Input Transformer
Events generated during enhanced scanning include "Inspector2 Scan" and "Inspector2 Finding".
This time, I chose "Inspector2 Scan" because I wanted to know the number of findings during a Push-on-Scan.
Here is an example of an "Inspector2 Scan" event.
{
"version": "0",
"id": "739c0d3c-4f02-85c7-5a88-94a9EXAMPLE",
"detail-type": "Inspector2 Scan",
"source": "aws.inspector2",
"account": "123456789012",
"time": "2021-12-03T18:03:16Z",
"region": "us-east-2",
"resources": [
"arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample"
],
"detail": {
"scan-status": "INITIAL_SCAN_COMPLETE",
"repository-name": "arn:aws:ecr:us-east-2:123456789012:repository/amazon/amazon-ecs-sample",
"finding-severity-counts": {
"CRITICAL": 7,
"HIGH": 61,
"MEDIUM": 62,
"TOTAL": 158
},
"image-digest": "sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77e5EXAMPLE",
"image-tags": [
"latest"
]
}
}
I pick out the information I want from this event and format it into something readable in Slack. To do this, I use the EventBridge input transformer.
Input Transformation requires an input path and an input template.
{
"ACCOUNT": "$.account",
"COUNTS_CRITICAL": "$.detail.finding-severity-counts.CRITICAL",
"COUNTS_HIGH": "$.detail.finding-severity-counts.HIGH",
"COUNTS_MEDIUM": "$.detail.finding-severity-counts.MEDIUM",
"COUNTS_TOTAL": "$.detail.finding-severity-counts.TOTAL",
"DETAIL-TYPE": "$.detail-type",
"REPONAME": "$.detail.repository-name",
"TAGS": "$.detail.image-tags[0]"
}
{
"version": "1.0",
"source": "custom",
"content": {
"description": ":information_source: *<DETAIL-TYPE> | <ACCOUNT>*\n*Scaned_Repo_Name:* <REPONAME>,\n*Tag:* <TAGS>,\n*CRITICAL:* <COUNTS_CRITICAL>,\n*HIGH:* <COUNTS_HIGH>,\n*MEDIUM:* <COUNTS_MEDIUM>,\n*TOTAL:* <COUNTS_TOTAL>"
}
}
What I wanted were the detection counts for "CRITICAL," "HIGH," "MEDIUM," and "TOTAL." So, I am assigning detail.finding-severity-counts.xxx to the variables named "COUNT_XXX."
I've added Slack emojis, applied bold text, and included line breaks. The "description" field can be quite difficult for humans to read, though...
Customized Notification
As a result, I now receive notifications like the one below.
This allows me to grasp the summary just by looking at Slack.
Discussion