Using SBOM to find vulnerable container images running on Amazon EKS clusters
Blog
This article explains how to use Software Bill of Materials (SBOM) to identify vulnerable container images running on Amazon EKS clusters.
- SBOM provides machine-readable inventory of all software components in container images
- 96% of commercial codebases contain open source; 48% have high-risk vulnerabilities
- Solution uses Syft to generate SBOM files in SPDX JSON format
- AWS CodeBuild pipeline automatically generates SBOM when images pushed to ECR
- CronJob discovers all pods running in EKS cluster and lists container images
- AWS Glue Crawler indexes SBOM and image data for querying
- Amazon Athena SQL queries identify vulnerable packages in running containers
- Solution includes one-off scan for existing ECR images without SBOM
This approach enables organizations to quickly identify which container images contain specific vulnerable packages or versions, critical for responding to zero-day vulnerabilities like Log4Shell.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.