Integrate a new Amazon ECR source

info

This integration leads to an automatic full scan of your monitored repositories. This implies an initial download of your Docker images, which may incur bandwidth costs with your Cloud Provider. To reduce these costs, while minimizing the risk of false positives, we recommend you to take advantage of the Filepath exclusion feature by adding this suggestion of filepaths to exclude from scanning.

Setting up and configuring this integration is limited to users with an Owner or Manager access level. Amazon ECR installation is only open to workspaces under the Business plan. However, you can install and test secret detection in Amazon ECR with a 30-day trial. Any secret incidents detected during the trial will remain accessible in your incident dashboard.

Note that GitGuardian only has read access to your repositories.

Setup your Amazon ECR integration

You can install GitGuardian on multiple Amazon ECR instances to monitor your repositories. To set up the Amazon ECR integration, you shall create an IAM role in your AWS account, and configure it with an AWS External ID generated by GitGuardian for your workspace.

Connect GitGuardian with your Amazon ECR account

1. In the GitGuardian platform, navigate to the Sources integration page
2. Click Install next to Amazon ECR in the Container registries section
3. Click Install on the Amazon ECR integration page
4. Retrieve the Role name. By default, it is GitGuardianECRScanning, but you can customize it. This role allows GitGuardian to scan your ECR repositories.
5. Retrieve the AWS External ID, unique to your workspace. You will need this when defining the trust policy for the IAM role. Keep this ID confidential!
6. Click Connect with Amazon ECR to link GitGuardian with your Amazon ECR account.
7. Create a new IAM role in the AWS IAM Console for GitGuardian.
8. Select AWS account for the trusted entity type, and choose Another AWS account.
9. Enter the GitGuardian’s Account ID: 762233768605
10. Select Require external ID, enter your AWS External ID (5) and ensure to leave Require MFA disabled. For more details, see how to use an external ID when granting access to your AWS resources to a third party in the AWS documentation.
11. Click Next.
12. Attach the AmazonEC2ContainerRegistryReadOnly role to enable resource collection.
13. Click Next.
14. Name the role using the Role name (4) defined earlier (GitGuardianECRScanning by default), and provide a description.
15. Click Create Role.

Register your Amazon ECR account information

1. Retrieve your Region
   

2. Copy your Account ID
   

3. Return to the GitGuardian platform to register your Amazon ECR account information

4. Enter your Region name (e.g.: us-west-2)

5. Paste your Account ID

6. Click Install

7. Customize your monitored perimeter:

   • Monitor specific Amazon ECR repositories (Recommended)
     • No repositories are monitored by default, you will have to select them manually.
     • Newly created repositories will not be monitored by default. You can adjust this setting at any time.
     • Recommended to optimize your bandwidth costs.
   • Monitor the entire Amazon ECR instance
     • All repositories are monitored by default with a full historical scan automatically triggered.
     • Newly created repositories will be monitored by default. You can adjust this setting at any time.

   

That's it! Your Amazon ECR instance is now installed, and GitGuardian is monitoring all Docker images of your selected repositories for secrets.

Customize your monitored perimeter

To customize the monitored repositories, navigate to your Amazon ECR settings.

1. Select/Unselect repositories to include or exclude them from monitoring
2. Confirm by clicking Update monitored perimeter

Automatic repository monitoring

You can enable or disable the automatic addition of newly created repositories to your monitored perimeter by switching the option in your Amazon ECR settings.

Uninstall your Amazon ECR instance

To uninstall an Amazon ECR instance:

1. In the GitGuardian platform, navigate to the Sources integration page
2. Click Edit next to Amazon ECR in the Container registries section
3. Click the bin icon next to the Amazon ECR instance to uninstall
4. Confirm by clicking Yes, uninstall in the confirmation modal

That's it! Your Amazon ECR instance is now uninstalled.

Excluded paths

GitGuardian automatically excludes files from scanning if their paths contain any of these regular expressions:

/__pypackages__/
/\.venv/
/\.tox/
/site-packages/
/venv/
distutils/command/register.py
python.*/awscli/examples/
python.*/dulwich/(tests|contrib/test_)
python.*/hgext/bugzilla.py
python.*/mercurial/util.py
python.*/test/certdata/
python.*/urllib/request\.py
python.*/pygments/lexers/
/cryptography.+/tests/.+(fixtures|test)_.+.py
/python.+pygpgme.+/tests/
botocore/data/.+/(examples|service)-.+.json
usr(/local)?/lib/python.+/dist-packages
/libevent.+/info/test/test/
/conda-.+-py.+/info/test/tests.+/test_.+\.py
/python[^/]+/test/
/man/man5/kdc\.conf\.5
erlang.*(inets|ssl).*/examples/
/gems/.*httpclient.*/(test|sample)/
/gems/.*faraday.*/
/vendor/bundle/
/\.gem/
/(g|G)o/src/cmd/go/internal/.*_test.go
/(g|G)o/src/cmd/go/internal/.*/testdata/
/(g|G)o/src/cmd/go/testdata/
/(g|G)o/src/crypto/x509/platform_root_key.pem
/(G|g)o/src/crypto/tls/.*_test.go
/(g|G)o/src/net/(url|http)/.*_test.go
src/github.com/DataDog/datadog-agent/.*test.*.go
google/internal/.*_test.go
golang.org.*oauth2@.*/.*.go
/flutter/.*/packages/flutter_tools/test/data/
/flutter/.*/examples/image_list/lib
/\.pub-cache
etc/ssl/private/ssl-cert-snakeoil\.key
perl.*Cwd.pm
ansible/.*/tests/(integration|unit)/
ansible/.*/test/awx
ansible/collections/ansible_collections/.*/plugins/
/curl/.*/(tests|docs|lib/url.c)
/doc/wget.+/NEWS
dist/awscli/examples/
usr(/local)?/lib/aws-cli/examples/
/google-cloud-sdk/(lib|platform)/
\.git/modules/third[-_]?party/
\.git/modules/external/
/\.npm/_cacache
/node_modules/
/\.parcel-cache/
/\.yarn/cache/
/\.m2/
/\.ivy2/cache/
/\.mix/
/\.hex/
/composer/cache/
/\.nuget/packages/
/libgpg-error/errorref\.txt
/Homebrew/Library/Taps/
/tcl[^/]+/http-.+.tm

Limitations

This integration is currently in beta and has the following limitations:

• Scan Frequency: Scans occur once a day. It may take several hours to detect newly leaked secrets.
  For GitGuardian Self-Hosted instances, scan frequency can be configured in the Admin Area.
  • Time interval unit: seconds
  • Default value: 86400 (1 day)
  • Minimum value: 1800 (30 minutes)
• Team Perimeter: Customization of a team perimeter with Amazon ECR repositories is not supported. Users must be in All-incidents team to view and access Amazon ECR incidents.
• Source Visibility: The visibility of repositories is not determined. All repositories are considered private in both the UI and API.
• Presence Check: The presence check feature is not supported. All occurrences are considered present in both the UI and API.
• Occurrence Previews: Previews of occurrences are not supported.

Privacy

Country-specific laws and regulations may require you to inform your users that your repositories are being scanned for secrets. Here is a suggestion for a message you may want to use:

As part of our internal information security process, the company scans its repositories for potential secrets leaks using GitGuardian. All data collected will be processed for the purpose of detecting potential leaks. To find out more about how we manage your personal data and to exercise your rights, please refer to our employee/partner privacy notice. Please note that only repositories relating to the company’s activity and business may be monitored and that users shall refrain from sharing personal or sensitive data not relevant to the repository’s purpose.