How to filter aws security hub findings from ECR repository name using boto3

Question

Im writing a lambda function get AWS security hub findings and export it to another platform to analyze it. im using following code with boto3 to get the findings

securityhub_client = boto3.client('securityhub')
securityhub_client.get_findings()

it will return all the findings and its a very large json. i only want to get findings related to few ECR repositories and i tried to construct a filter object to get results im looking for. but im not exactly sure how to construct this filter object! can someone help with this issue

filter_expression = {
        "ResourceType": [
            {
                "Comparison": "EQUALS",
                "Value": "AwsEcrContainerImage"          
            }
        ],
            "ResourceContainerImageName": [ 
            { 
                "Comparison": "EQUALS",
                "Value": "nginx"
            }
        ]
        }
response = securityhub_client.get_findings(Filters=filter_expression)

above is a sample filter object i tried. i also tried replacing ResourceContainerImageName with ResourceContainerImageId and ResourceContainerName according to documentation but still no luck

Did you have that format/indent on your filter when you ran it? I doesn't look good. — Erik Asplund, May 26 '23 at 12:35
@ErikAsplund sorry for the confusion! i just updated the question. i have used the filter object in the call. ResourceType filter is working but the ResourceContainerImageName is not — Shadow, May 27 '23 at 10:31

How to filter aws security hub findings from ECR repository name using boto3

0 Answers0