Scan Container Images in AWS Fargate (ECS)

Qualys Container Security can be used to secure AWS Fargate. AWS Fargate is a serverless compute engine for containers that works with Amazon Elastic Container Service (ECS). This feature allows you to know the containers running on AWS Fargate, perform vulnerability and compliance scanning on container images launched by Amazon Fargate tasks (ECS), and view the findings to take remediation actions.

Benefits

• Automated vulnerability scanning
  Automatically scans container images when AWS ECS Fargate tasks are launched, reducing manual effort.
• Continuous security monitoring
  Helps you continuously identify vulnerabilities and compliance issues in container images.
• Faster risk detection
  Detects security risks early in the deployment lifecycle before containers run in production.
• Seamless AWS integration
  Integrates with AWS EventBridge, Lambda, CodeBuild, and Amazon ECR for automated event-driven scanning.
• Improved cloud workload protection
  Strengthens container security across AWS cloud-native environments.

Since AWS Fargate is serverless, the solution launches a sensor whenever a new Fargate task is deployed. Qualys uses AWS CloudFormation and a Qualys Lambda function to trigger scanning automatically.

How does Qualys scan a container image in AWS Fargate?

This section explains how Qualys CS Sensor scans your image in AWS Fargate.

Pre-requisite

Make sure your have the stack formation with you.

• Stack Formation - You need to configure a CloudFormation template with your subscription details and a Qualys Lambda function with the Qualys S3 bucket name & S3 bucket key to trigger image scanning of images pulled from Amazon Elastic Container Registry (ECR). To know more, refer to How to deploy the stack using AWS Console.

Fargate Image Scan

Qualys scans AWS ECS Fargate container images using AWS EventBridge, Lambda, and CodeBuild integrations.

When an AWS ECS Fargate task launches, the EventBridge rule created during Qualys sensor deployment captures the event and triggers the Qualys scanning Lambda function. The Lambda function determines whether the container image should be scanned and launches AWS CodeBuild to run the Qualys sensor.

The Qualys Container Security sensor pulls the container image from Amazon ECR and performs vulnerability and compliance scans. After the scan completes successfully, Qualys uploads the image metadata to the Qualys Enterprise TruRisk™ Platform, where users can view results in Qualys Enterprise TruRisk™ Platform > Container Security and API.

Qualys supports scanning Docker images pulled from Amazon Elastic Container Registry (Amazon ECR) for x86_64 and ARM64 architectures. 

For Qualys Private Cloud Platform (PCP), we have provided guidelines for setting up the connectivity between AWS and your Private Cloud Platform. Refer to Qualys Container Security - Securing AWS Fargate on Qualys Private Cloud Platform (PCP).