Integrate Amazon ECR

Secure your containerized applications by monitoring Amazon Elastic Container Registry for exposed secrets in container images and Docker configurations.

Why Monitor Amazon ECR?

Amazon ECR serves as the gateway between your development pipeline and AWS production environments. Container images in ECR often contain AWS credentials, RDS connection strings, and service account keys that, when exposed, can grant attackers complete access to your cloud infrastructure, databases, and sensitive customer data across multiple AWS services.

Capabilities

Feature	Support	Details
Historical Scanning	✅ (Supported)	Analyze existing images and their layers
Incremental Scanning	✅ (Supported)	Regular scheduled scanning for new content
Monitored Perimeter	✅ (Supported)	Granular monitoring of your repos
Team Perimeter	⏳ (Coming Soon)	Users must be in the "All-incidents" team to access incidents
Presence Check	❌ (Not Supported)	All occurrences considered present
Source Visibility	❌ (Not Supported)	All sources are considered as private
File Attachments	N/A	Not applicable for container registries

What we scan:

• All container image layers
• Dockerfiles and build configurations
• Environment variables in image metadata

info

This integration automatically scans your monitored repositories, downloading Docker images which may incur bandwidth costs. To optimize costs and reduce false positives, carefully select the sources to monitor and use our filepath exclusion feature.

info

Plan requirements: Available for GitGuardian Business and Enterprise plans. Try it for free with a 30-day trial - any detected incidents remain accessible after the trial ends.
Detector coverage: To minimize false positives, Generic High Entropy Secret and Generic Password are disabled. All other detectors are enabled.

Setup your Amazon ECR integration

Prerequisites:

• Owner or Manager account on your GitGuardian Dashboard
• AWS IAM permissions to create roles and policies in your AWS account

GitGuardian integrates with Amazon ECR using IAM roles with read-only access to your repositories.

You can install GitGuardian on multiple Amazon ECR instances to monitor your repositories. To set up the Amazon ECR integration, you shall create an IAM role in your AWS account, and configure it with an AWS External ID generated by GitGuardian for your workspace.

Connect GitGuardian with your Amazon ECR account

1. In the GitGuardian platform, navigate to the Sources integration page
2. Click Install next to Amazon ECR in the Container registries section
3. Click Install on the Amazon ECR integration page
4. Retrieve the Role name. By default, it is GitGuardianECRScanning, but you can customize it. This role allows GitGuardian to scan your ECR repositories.
5. For SaaS users only : Retrieve the AWS External ID, unique to your workspace. You will need this when defining the trust policy for the IAM role. Keep this ID confidential!
6. Click Connect with Amazon ECR to link GitGuardian with your Amazon ECR account.
7. Create a new IAM role in the AWS IAM Console for GitGuardian.

For SaaS users : 8. Select AWS account for the trusted entity type, and choose Another AWS account. 9. Enter the GitGuardian’s Account ID: 762233768605 10. Select Require external ID, enter your AWS External ID (5) and ensure to leave Require MFA disabled. For more details, see how to use an external ID when granting access to your AWS resources to a third party in the AWS documentation. 11. Click Next. 12. Attach the AmazonEC2ContainerRegistryReadOnly role to enable resource collection. 13. Click Next. 14. Name the role using the Role name (4) defined earlier (GitGuardianECRScanning by default), and provide a description. 15. Click Create Role.

For On-Prem users : 8. Select Web Identity for the trusted entity type. And Click Create New 9. Select OpenID Connect, 10. Use https://the-url-of-your-gitguardian.com/exposed as the Provider URL, and sts.amazonaws.com as the Audience 11. Click Add provider and use it for the Role. 12. Still within the Web identity section, Click Add condition, and use :

• Key : the-url-of-your-gitguardian.com/exposed:sub (meaning the sub claim of the JWT token)
• Condition : StringEquals
• Value : gitguardian-account-id:YOUR_GITGUARDIAN_ACCOUNT_ID

13. Attach the AmazonEC2ContainerRegistryReadOnly role to enable resource collection.
14. Click Next.
15. Name the role using the Role name (4) defined earlier (GitGuardianECRScanning by default), and provide a description.
16. Click Create Role.

Here is the resulting structure of the trust policy for On-Prem users :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:oidc-provider/the-url-of-your-gitguardian.com/exposed"
            },
            "Condition": {
                "StringEquals": {
                    "the-url-of-your-gitguardian.com/exposed:sub": "gitguardian-account-id:YOUR_GITGUARDIAN_ACCOUNT_ID",
                    "the-url-of-your-gitguardian.com/exposed:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Register your Amazon ECR account information

1. Retrieve your Region
   

2. Copy your Account ID
   

3. Return to the GitGuardian platform to register your Amazon ECR account information

4. Enter your Region name (e.g.: us-west-2)

5. Paste your Account ID

6. Click Install

7. Customize your monitored perimeter:

   • Monitor specific Amazon ECR repositories (Recommended)
     • No repositories are monitored by default, you will have to select them manually.
     • Newly created repositories will not be monitored by default. You can adjust this setting at any time.
     • Recommended to optimize your bandwidth costs.
   • Monitor the entire Amazon ECR instance
     • All repositories are monitored by default with a full historical scan automatically triggered.
     • Newly created repositories will be monitored by default. You can adjust this setting at any time.

   

That's it! Your Amazon ECR instance is now installed, and GitGuardian is monitoring all Docker images of your selected repositories for secrets.

Customize your monitored perimeter

To customize the monitored repositories, navigate to your Amazon ECR settings.

1. Select/Unselect repositories to include or exclude them from monitoring
2. Confirm by clicking Update monitored perimeter

Automatic repository monitoring

You can enable or disable the automatic addition of newly created repositories to your monitored perimeter by switching the option in your Amazon ECR settings.

Uninstall your Amazon ECR instance

To uninstall an Amazon ECR instance:

1. In the GitGuardian platform, navigate to the Sources integration page
2. Click Edit next to Amazon ECR in the Container registries section
3. Click the bin icon next to the Amazon ECR instance to uninstall
4. Confirm by clicking Yes, uninstall in the confirmation modal

That's it! Your Amazon ECR instance is now uninstalled.

Excluded paths

GitGuardian automatically excludes files from scanning if their paths contain any of these regular expressions:

/__pypackages__/
/\.venv/
/\.tox/
/site-packages/
/venv/
distutils/command/register.py
python.*/awscli/examples/
python.*/dulwich/(tests|contrib/test_)
python.*/hgext/bugzilla.py
python.*/mercurial/util.py
python.*/test/certdata/
python.*/urllib/request\.py
python.*/pygments/lexers/
/cryptography.+/tests/.+(fixtures|test)_.+.py
/python.+pygpgme.+/tests/
botocore/data/.+/(examples|service)-.+.json
usr(/local)?/lib/python.+/dist-packages
/libevent.+/info/test/test/
/conda-.+-py.+/info/test/tests.+/test_.+\.py
/python[^/]+/test/
/man/man5/kdc\.conf\.5
erlang.*(inets|ssl).*/examples/
/gems/.*httpclient.*/(test|sample)/
/gems/.*faraday.*/
/vendor/bundle/
/\.gem/
/(g|G)o/src/cmd/go/internal/.*_test.go
/(g|G)o/src/cmd/go/internal/.*/testdata/
/(g|G)o/src/cmd/go/testdata/
/(g|G)o/src/crypto/x509/platform_root_key.pem
/(G|g)o/src/crypto/tls/.*_test.go
/(g|G)o/src/net/(url|http)/.*_test.go
src/github.com/DataDog/datadog-agent/.*test.*.go
google/internal/.*_test.go
golang.org.*oauth2@.*/.*.go
/flutter/.*/packages/flutter_tools/test/data/
/flutter/.*/examples/image_list/lib
/\.pub-cache
etc/ssl/private/ssl-cert-snakeoil\.key
perl.*Cwd.pm
ansible/.*/tests/(integration|unit)/
ansible/.*/test/awx
ansible/collections/ansible_collections/.*/plugins/
/curl/.*/(tests|docs|lib/url.c)
/doc/wget.+/NEWS
dist/awscli/examples/
usr(/local)?/lib/aws-cli/examples/
/google-cloud-sdk/(lib|platform)/
\.git/modules/third[-_]?party/
\.git/modules/external/
/\.npm/_cacache
/node_modules/
/\.parcel-cache/
/\.yarn/cache/
/\.m2/
/\.ivy2/cache/
/\.mix/
/\.hex/
/composer/cache/
/\.nuget/packages/
/libgpg-error/errorref\.txt
/Homebrew/Library/Taps/
/tcl[^/]+/http-.+.tm

Additional Self-Hosted considerations

For GitGuardian Self-Hosted instances, scan frequency can be configured in the Admin Area:

• Time interval unit: seconds
• Default value: 86400 (1 day)
• Minimum value: 1800 (30 minutes)

Privacy

Country-specific laws and regulations may require you to inform your users that your repositories are being scanned for secrets. Here is a suggestion for a message you may want to use:

As part of our internal information security process, the company scans its repositories for potential secrets leaks using GitGuardian. All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. Please note that only repositories relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the repository’s purpose.