4

We are using AWS Inspector to scan vulnerabilities on our AWS ECR repositories. When there is a new image on a certain repository, we would like to suppress findings from past / superseded images, keep active only findings from the latest image for each repository, so we can see only the issues that are actually not fixed yet.

I can't just filter out by age, because it might happen that we don't generate a new image for some time, for certain repositories.

I'm trying to create suppression rules on AWS Inspector, but I can't find the proper filter to achieve the desired effect. If I try to suppress all images that don't have the latest Image Tag, it suppresses all images, with latest tag included.

How can I suppress findings from old ECR images?

cybersam
  • 63,203
  • 6
  • 53
  • 76
Diogo Melo
  • 1,735
  • 3
  • 20
  • 29
  • A suppression rule that filters image tags not equal `latest` should work. If you look at the "Findings suppressed by this rule" table, do you see the "Impacted resource" with the SHA of the image tagged with latest? – Dor Serero Feb 27 '23 at 16:03
  • I thought the same. But it doesn't. Say that I have an issue A on a previous image and the same issue on the latest image (same repo). And I have the rule to suppress everything but latest. It will supress issue A, including on the latest version, I guess because a previous image have the issue. – Diogo Melo Feb 27 '23 at 16:06

0 Answers0