Scan Container Images in AWS Fargate (ECS)

Qualys Container Security can be used to secure AWS Fargate. AWS Fargate is a serverless compute engine for containers that works with Amazon Elastic Container Service (ECS). This feature allows you to know the containers running on AWS Fargate, perform vulnerability and compliance scanning on container images launched by Amazon Fargate tasks (ECS), and view the findings to take remediation actions.

Since AWS Fargate is serverless, the solution launches a sensor whenever a new Fargate task is deployed. We will use AWS CloudFormation and a Qualys Lambda function to trigger scanning automatically. You’ll configure a CloudFormation template with your subscription details and a Qualys Lambda function with the Qualys S3 bucket name & S3 bucket key to trigger image scanning of images pulled from Amazon Elastic Container Registry (ECR).

How it works

We support scanning Docker images pulled from Amazon Elastic Container Registry (Amazon ECR) with x86_64 architecture.

When an AWS ECS Fargate task is launched, the AWS EventBridge rule created during Qualys deployment consumes the event. The EventBridge rule is set in such a way that it triggers the Qualys scanning Lambda function. The Qualys Lambda function then processes the event received from EventBridge to decide on image scanning. The Qualys Lambda function launches the AWS CodeBuild to run the Qualys sensor, which pulls the image from Amazon ECR and then performs the vulnerability and compliance scan on the image. After a successful image scan, image metadata gets uploaded to the Qualys Enterprise TruRisk™ Platform for evaluation, and you can view details from the Container Security UI and API.  

For Qualys Private Cloud Platform (PCP), we have provided guidelines for setting up the connectivity between AWS and your Private Cloud Platform. Refer to Qualys Container Security - Securing AWS Fargate on Qualys Private Cloud Platform (PCP).