(bootstrap): remove Security Hub finding ECR.3 #24723

tenjaa · 2023-03-21T16:02:20Z

Describe the feature

Similar to #24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding.

I know that there is an RFC for garbage collection in the works.

Use Case

After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub,
I am always frustrated when I see failed checks.

Proposed Solution

Similar to #24175 just a a LifecyclePolicy to the repository:

      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [
              {
                "rulePriority": 1,
                "description": "no-op",
                "selection": {
                  "tagStatus": "untagged",
                  "countType": "sinceImagePushed",
                  "countUnit": "days",
                  "countNumber": 365
                },
                "action": { "type": "expire" }
              }
            ]
          }

Other Information

No response

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

latest

Environment details (OS name and version, etc.)

pahud · 2023-03-21T17:02:19Z

Thank you for the details and we are looking forward to your pull request.

tenjaa · 2023-03-22T07:41:52Z

Thanks for the quick feedback. I added the pull request @pahud

…because of missing lifecycle policy (#24735) After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub, I am always frustrated when I see failed checks. Similar to #24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding. I know that there is an RFC for garbage collection in the works but this is a simple immediate fix. _This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_ Closes #24723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2023-03-28T21:26:54Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…because of missing lifecycle policy (aws#24735) After enabling AWS Foundational Security Best Practices v1.0.0 in the security hub, I am always frustrated when I see failed checks. Similar to aws#24175 I would like to see a lifecycle rule that does not do much but at least per default resolves the finding. I know that there is an RFC for garbage collection in the works but this is a simple immediate fix. _This is heavily inspired by https://github.com/aws/aws-cdk/pull/24175_ Closes aws#24723. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

tenjaa added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Mar 21, 2023

github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Mar 21, 2023

pahud added effort/small Small work item – less than a day of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Mar 21, 2023

tenjaa mentioned this issue Mar 21, 2023

fix(bootstrap): ECR repository produces Security Hub finding [ECR.3] because of missing lifecycle policy #24735

Merged

mergify bot closed this as completed in #24735 Mar 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(bootstrap): remove Security Hub finding ECR.3 #24723

(bootstrap): remove Security Hub finding ECR.3 #24723

tenjaa commented Mar 21, 2023

pahud commented Mar 21, 2023

tenjaa commented Mar 22, 2023

github-actions bot commented Mar 28, 2023