Automated container vulnerability scanning using Amazon ECR, Inspector v2, and serverless event processing.
- Automated Scanning: Scan-on-push with ECR + Inspector v2 integration
- Event-Driven Processing: Lambda functions process findings in real-time
- Policy Enforcement: Configurable severity thresholds and blocking rules
- Real-time Alerts: Multi-channel notifications (SNS, Slack) for critical vulnerabilities
- CloudWatch Monitoring: Dashboards and alarms for security posture tracking
- Infrastructure as Code: Complete Terraform modules for reproducible deployments
Container Image → ECR Repository → Inspector v2 Scan
↓
EventBridge Rules
↓
┌──────────┼──────────┐
↓ ↓ ↓
Lambda DynamoDB SNS Alerts
Processing Storage (Email/Slack)
↓
CloudWatch Monitoring
Components:
- ECR: Container registry with scan-on-push
- Inspector v2: Continuous vulnerability scanning
- EventBridge: Event routing for scan results
- Lambda: Process findings, enforce policies, aggregate data
- DynamoDB: Store scan results and vulnerability inventory
- SNS: Multi-channel alerting (email, Slack)
- CloudWatch: Dashboards and alarms
container-scanning/
├── terraform/
│ ├── modules/ # ECR, Inspector, EventBridge, Lambda, DynamoDB, SNS, Monitoring
│ ├── environments/dev/ # Environment-specific configuration
│ └── main.tf
├── src/lambda-functions/ # scan-processor, vulnerability-aggregator, policy-enforcer, slack-notifier
├── sample-apps/ # Demo vulnerable application
├── scripts/ # build-lambdas.sh, deploy.sh, package-lambdas.py
└── tests/unit/ # Lambda function tests
- AWS Account with Administrator access
- Terraform >= 1.5.0
- AWS CLI v2 configured
- Docker and Python 3.11+
1. Configure:
cd terraform/environments/dev
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your email2. Deploy:
cd scripts && ./deploy.sh3. Test:
cd sample-apps/vulnerable-app && ./build-and-push.sh
# Wait 2-5 minutes, then check results
aws ecr describe-image-scan-findings --repository-name sample-app --image-id imageTag=latest --region us-east-1Edit terraform/environments/dev/terraform.tfvars:
vulnerability_severity_threshold = "HIGH"
block_on_critical = true
alert_email = "security-team@company.com"
slack_webhook_url = "" # OptionalCloudWatch Dashboard: container-scanning-security-dev
- Active vulnerabilities by severity
- Scan success/failure rates
- Lambda performance metrics
Pre-configured Alarms:
- CRITICAL vulnerabilities detected
- Lambda errors and duration thresholds
- KMS encryption (ECR images, SNS topics)
- IAM least privilege roles
- Optional VPC endpoints
- Complete CloudWatch logging
- DynamoDB audit trail
Estimated monthly cost (~50 images):
| Service | Cost |
|---|---|
| Inspector v2 | $4.50 |
| ECR Storage | $2 |
| Lambda/DynamoDB/CloudWatch | $5 |
| Total | ~$12/month |
Run tests:
cd tests/unit && python -m pytest test_scan_processor.py -vDestroy resources:
cd terraform/environments/dev && terraform destroyMIT License - see LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
Production-ready container security infrastructure for modern DevOps teams.