Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
# Creación de una integración de CI/CD canalización personalizada con Amazon Inspector Scan
Le recomendamos que utilice los complementos de [Amazon Inspector si los CI/CD complementos](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) de Amazon Inspector CI/CD están disponibles para su CI/CD solución. Si los CI/CD complementos de Amazon Inspector no están disponibles para su CI/CD solución, puede utilizar una combinación del generador SBOM de Amazon Inspector y la API de escaneo de Amazon Inspector para crear una integración personalizada CI/CD . En los siguientes pasos se describe cómo crear una integración de CI/CD canalización personalizada con Amazon Inspector Scan.
**sugerencia**
Puede usar el [generador de SBOM de Amazon Inspector (Sbomgen)](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen) para omitir los pasos 3 y 4 si desea [generar y analizar la SBOM en un solo comando](https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html#generate-scan-sbom.html).
## Paso 1. Configurando Cuenta de AWS
Configure una Cuenta de AWS que proporcione acceso a la API de escaneo de Amazon Inspector. Para obtener más información, consulte [Configuración de una AWS cuenta para usar la CI/CD integración de Amazon Inspector](configure-cicd-account.md).
## Paso 2. Instalación de Sbomgen binario
Instalación y configuración de Sbomgen binario. Para obtener más información, consulte [Instalación de Sbomgen](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen).
## Paso 3. Uso de Sbomgen
Utilice Sbomgen para crear un archivo de SBOM para una imagen del contenedor que desee analizar.
Puede utilizar el siguiente ejemplo. Sustituya {{`image:id`}} por el nombre de la imagen que va a analizar. Sustituya {{`sbom_path.json`}} por la ubicación en la que desea guardar el resultado de la SBOM.
**Ejemplo**
`./inspector-sbomgen container --image {{image:id}} -o sbom_path.json`
## Paso 4. Llamada a la API de Escaneo de Amazon Inspector
Llame a la API de `inspector-scan` para analizar la SBOM generada y proporcionar un informe de vulnerabilidades.
Puede utilizar el siguiente ejemplo. {{sbom\_path.json}}Sustitúyalo por la ubicación de un archivo SBOM válido compatible con CyclonedX. {{ENDPOINT}}Sustitúyalo por el punto final de la API en el Región de AWS que estás autenticado actualmente. {{REGION}}Sustitúyalo por la región correspondiente.
**Ejemplo**
`aws inspector-scan scan-sbom --sbom file://{{sbom_path.json}} --endpoint {{ENDPOINT-URL}} --region {{REGION}}`
Para obtener una lista completa de Regiones de AWS puntos finales, consulte [Regiones y puntos finales](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## (Opcional) Paso 5. Generación y análisis de SBOM en un solo comando
**nota**
Complete este paso solo si se saltó el paso 3 y el paso 4.
Genere y analice la SBOM en un solo comando con el indicador `--scan-bom`.
Puede utilizar el siguiente ejemplo. Sustituya {{`image:id`}} por el nombre de la imagen que desea analizar. {{profile}}Sustitúyalo por el perfil correspondiente. {{REGION}}Sustitúyalo por la región correspondiente. {{/tmp/scan.json}}Sustitúyalo por la ubicación del archivo scan.json en el directorio tmp.
**Ejemplo**
`./inspector-sbomgen container --image {{image:id}} --scan-sbom --aws-profile {{profile}} --aws-region {{REGION}} -o {{/tmp/scan.json}}`
[Para obtener una lista completa de puntos finales, consulte Regiones Regiones de AWS y puntos finales.](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints)
## Formatos de resultados de la API
La API de Amazon Inspector Scan puede generar un informe de vulnerabilidades en formato CycloneDX 1.5 o resultados de JSON de Amazon Inspector. El valor predeterminado se puede cambiar con la marca `--output-format`.
### Ejemplo de salida en formato CycloneDX 1.5: Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerabilities found",
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1",
"metadata": {
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
}
],
"tools": [
{
"name": "CycloneDX SBOM API",
"vendor": "Amazon Inspector",
"version": "empty:083c9b00:083c9b00:083c9b00"
}
],
"timestamp": "2023-06-28T14:15:53.760Z"
},
"components": [
{
"bom-ref": "comp-1",
"type": "library",
"name": "log4j-core",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "/home/dev/foo.jar"
}
]
}
],
"vulnerabilities": [
{
"bom-ref": "vuln-1",
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"references": [
{
"id": "GHSA-jfh8-c2jp-5v3q",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
}
}
],
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v3-1/"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v2/"
},
"score": 9.3,
"severity": "critical",
"method": "CVSSv2",
"vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": {
"name": "EPSS",
"url": "https://www.first.org/epss/"
},
"score": 0.97565,
"severity": "none",
"method": "other",
"vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000"
},
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes": [
400,
20,
502
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"advisories": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"url": "https://support.apple.com/kb/HT213189"
},
{
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/930724"
}
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"affects": [
{
"ref": "comp-1"
}
],
"properties": [
{
"name": "amazon:inspector:sbom_scanner:exploit_available",
"value": "true"
},
{
"name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
"value": "2023-03-06T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_added",
"value": "2021-12-10T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_due",
"value": "2021-12-24T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "2.15.0"
}
]
}
]
}
}
```
### Ejemplo de salida en formato CycloneDX 1.5: Windows
```
{
"sbom": {
"specVersion": "1.5",
"metadata": {
"tools": {
"services": [
{
"name": "Amazon Inspector Scan SBOM API",
"version": "d79c681c+d73b8663+5e50a5ab"
}
]
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:other_vulnerabilities",
"value": "0"
}
],
"timestamp": "2026-03-17T00:00:52.344Z"
},
"components": [
{
"bom-ref": "comp-1",
"name": "defender",
"purl": "pkg:generic/microsoft/defender@4.18.25110.5",
"type": "application",
"version": "4.18.25110.5",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:source_file_scanner",
"value": "windows-apps"
},
{
"name": "amazon:inspector:sbom_scanner:source_package_collector",
"value": "windows-app-defender"
},
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0"
}
]
}
],
"serialNumber": "urn:uuid:6bed582d-191e-4cb7-9875-950dd0b99700",
"bomFormat": "CycloneDX",
"vulnerabilities": [
{
"advisories": [
{
"url": "https://support.microsoft.com/help/5011487"
},
{
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
],
"bom-ref": "vuln-1",
"references": [
{
"id": "CVE-2022-23278",
"source": {
"name": "MICROSOFT",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278"
}
}
],
"ratings": [
{
"severity": "none",
"score": 0.02691,
"method": "other",
"vector": "model:v2025.03.14,date:2026-03-15T12:55:00Z",
"source": {
"name": "EPSS",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23278"
}
},
{
"severity": "medium",
"score": 5.9,
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
}
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"ref": "comp-1"
}
],
"id": "KB5011487",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
},
"published": "2022-03-08T08:00:00Z",
"analysis": {
"state": "in_triage"
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:priority",
"value": "standard"
},
{
"name": "amazon:inspector:sbom_scanner:priority_intelligence",
"value": "unverified"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "10.0.19042.1586"
}
]
}
]
}
}
```
### Ejemplo de salida en formato Inspector - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerability found",
"inspector": {
"messages": [
{
"name": "foo",
"purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom
"info": "Component skipped: no rules found."
}
],
"vulnerability_count": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"severity": "critical",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"related": [
"GHSA-jfh8-c2jp-5v3q"
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"references": [
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"https://support.apple.com/kb/HT213189",
"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
"https://logging.apache.org/log4j/2.x/security.html",
"https://www.debian.org/security/2021/dsa-5020",
"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://twitter.com/kurtseifried/status/1469345530182455296",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
"https://www.kb.cert.org/vuls/id/930724"
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"properties": {
"cisa_kev_date_added": "2021-12-10T00:00:00Z",
"cisa_kev_date_due": "2021-12-24T00:00:00Z",
"cwes": [
400,
20,
502
],
"cvss": [
{
"source": "NVD",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss2_base_score": 9.3,
"cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": "GITHUB",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"epss": 0.97565,
"exploit_available": true,
"exploit_last_seen_in_public": "2023-03-06T00:00:00Z"
},
"affects": [
{
"installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"fixed_version": "2.15.0",
"path": "/home/dev/foo.jar"
}
]
}
]
}
}
```
### Ejemplo de salida en formato Inspector - Windows
```
{
"sbom": {
"vulnerabilities": [
{
"severity": "medium",
"priority_intelligence": "unverified",
"related": [
"CVE-2022-23278"
],
"references": [
"https://support.microsoft.com/help/5011487",
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"path": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0",
"fixed_version": "10.0.19042.1586",
"installed_version": "pkg:generic/microsoft/defender@4.18.25110.5"
}
],
"id": "KB5011487",
"source": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487",
"published": "2022-03-08T08:00:00Z",
"priority": "standard",
"properties": {
"epss": 0.0269099995,
"cvss": [
{
"severity": "medium",
"cvss_3_base_score": 5.9000000954,
"cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
]
}
}
],
"vulnerability_count": {
"high": 0,
"other": 0,
"critical": 0,
"low": 0,
"medium": 1
}
}
}
```