Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Membuat integrasi CI/CD pipeline khusus dengan Amazon Inspector Scan
Kami menyarankan Anda menggunakan plugin [Amazon Inspector jika CI/CD plugin](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) Amazon Inspector tersedia untuk solusi CI/CD Anda. CI/CD Jika CI/CD plugin Amazon Inspector tidak tersedia untuk CI/CD solusi Anda, Anda dapat menggunakan kombinasi Amazon Inspector SBOM Generator dan Amazon Inspector Scan API untuk membuat integrasi kustom. CI/CD Langkah-langkah berikut menjelaskan cara membuat integrasi CI/CD pipeline khusus dengan Amazon Inspector Scan.
**Tip**
Anda dapat menggunakan [Amazon Inspector SBOM Generator (Sbomgen)](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen) untuk melewati Langkah 3 dan Langkah 4 jika Anda ingin [menghasilkan dan memindai SBOM Anda dalam](https://docs.aws.amazon.com/inspector/latest/user/cicd-custom.html#generate-scan-sbom.html) satu perintah.
## Langkah 1. Mengkonfigurasi Akun AWS
Konfigurasikan Akun AWS yang menyediakan akses ke Amazon Inspector Scan API. Untuk informasi selengkapnya, lihat [Menyiapkan AWS akun untuk menggunakan integrasi Amazon Inspector CI/CD](configure-cicd-account.md).
## Langkah 2. Menginstal Sbomgen biner
Instal dan konfigurasikan Sbomgen biner. Untuk informasi lebih lanjut, lihat [Memasang Sbomgen](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html#install-sbomgen).
## Langkah 3. Menggunakan Sbomgen
Gunakan Sbomgen untuk membuat file SBOM untuk gambar kontainer yang ingin Anda pindai.
Anda dapat menggunakan contoh berikut. Ganti {{`image:id`}} dengan nama gambar yang akan Anda pindai. Ganti {{`sbom_path.json`}} dengan lokasi tempat Anda ingin menyimpan output SBOM.
**Contoh**
`./inspector-sbomgen container --image {{image:id}} -o sbom_path.json`
## Langkah 4. Memanggil Amazon Inspector Scan API
Panggil `inspector-scan` API untuk memindai SBOM yang dihasilkan dan memberikan laporan kerentanan.
Anda dapat menggunakan contoh berikut. Ganti {{sbom\_path.json}} dengan lokasi file SBOM kompatibel CycloneDX yang valid. Ganti {{ENDPOINT}} dengan titik akhir API untuk AWS Region tempat Anda saat ini diautentikasi. Ganti {{REGION}} dengan Wilayah yang sesuai.
**Contoh**
`aws inspector-scan scan-sbom --sbom file://{{sbom_path.json}} --endpoint {{ENDPOINT-URL}} --region {{REGION}}`
Untuk daftar lengkap Region AWS dan titik akhir, lihat [Wilayah dan titik akhir](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## (Opsional) Langkah 5. Hasilkan dan pindai SBOM dalam satu perintah
**catatan**
Hanya selesaikan langkah ini jika Anda melewati Langkah 3 dan Langkah 4.
Hasilkan dan pindai SBOM Anda dalam satu perintah menggunakan `--scan-bom` bendera.
Anda dapat menggunakan contoh berikut. Ganti {{`image:id`}} dengan nama gambar yang ingin Anda pindai. Ganti {{profile}} dengan profil yang sesuai. Ganti {{REGION}} dengan Wilayah yang sesuai. Ganti {{/tmp/scan.json}} dengan lokasi file scan.json di direktori tmp.
**Contoh**
`./inspector-sbomgen container --image {{image:id}} --scan-sbom --aws-profile {{profile}} --aws-region {{REGION}} -o {{/tmp/scan.json}}`
Untuk daftar lengkap Region AWS dan titik akhir, lihat [Wilayah dan titik akhir](https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html#inspector-scan-endpoints).
## Format keluaran API
Amazon Inspector Scan API dapat menampilkan laporan kerentanan dalam format CycloneDX 1.5 atau Amazon Inspector menemukan JSON. Default dapat diubah menggunakan `--output-format` bendera.
### Contoh output format CycloneDX 1,5 - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerabilities found",
"sbom": {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:0077b45b-ff1e-4dbb-8950-ded11d8242b1",
"metadata": {
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
}
],
"tools": [
{
"name": "CycloneDX SBOM API",
"vendor": "Amazon Inspector",
"version": "empty:083c9b00:083c9b00:083c9b00"
}
],
"timestamp": "2023-06-28T14:15:53.760Z"
},
"components": [
{
"bom-ref": "comp-1",
"type": "library",
"name": "log4j-core",
"purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "/home/dev/foo.jar"
}
]
}
],
"vulnerabilities": [
{
"bom-ref": "vuln-1",
"id": "CVE-2021-44228",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
"references": [
{
"id": "GHSA-jfh8-c2jp-5v3q",
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
}
}
],
"ratings": [
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v3-1/"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"source": {
"name": "NVD",
"url": "https://www.first.org/cvss/v2/"
},
"score": 9.3,
"severity": "critical",
"method": "CVSSv2",
"vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": {
"name": "EPSS",
"url": "https://www.first.org/epss/"
},
"score": 0.97565,
"severity": "none",
"method": "other",
"vector": "model:v2023.03.01,date:2023-06-27T00:00:00+0000"
},
{
"source": {
"name": "GITHUB",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
"score": 10.0,
"severity": "critical",
"method": "CVSSv31",
"vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"cwes": [
400,
20,
502
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"advisories": [
{
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html"
},
{
"url": "https://support.apple.com/kb/HT213189"
},
{
"url": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/"
},
{
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"url": "https://www.debian.org/security/2021/dsa-5020"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/alert-cve-2021-44228.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://twitter.com/kurtseifried/status/1469345530182455296"
},
{
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html"
},
{
"url": "https://www.kb.cert.org/vuls/id/930724"
}
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"affects": [
{
"ref": "comp-1"
}
],
"properties": [
{
"name": "amazon:inspector:sbom_scanner:exploit_available",
"value": "true"
},
{
"name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public",
"value": "2023-03-06T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_added",
"value": "2021-12-10T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:cisa_kev_date_due",
"value": "2021-12-24T00:00:00Z"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "2.15.0"
}
]
}
]
}
}
```
### Contoh output format CycloneDX 1,5 - Windows
```
{
"sbom": {
"specVersion": "1.5",
"metadata": {
"tools": {
"services": [
{
"name": "Amazon Inspector Scan SBOM API",
"version": "d79c681c+d73b8663+5e50a5ab"
}
]
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:critical_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:high_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:medium_vulnerabilities",
"value": "1"
},
{
"name": "amazon:inspector:sbom_scanner:low_vulnerabilities",
"value": "0"
},
{
"name": "amazon:inspector:sbom_scanner:other_vulnerabilities",
"value": "0"
}
],
"timestamp": "2026-03-17T00:00:52.344Z"
},
"components": [
{
"bom-ref": "comp-1",
"name": "defender",
"purl": "pkg:generic/microsoft/defender@4.18.25110.5",
"type": "application",
"version": "4.18.25110.5",
"properties": [
{
"name": "amazon:inspector:sbom_scanner:source_file_scanner",
"value": "windows-apps"
},
{
"name": "amazon:inspector:sbom_scanner:source_package_collector",
"value": "windows-app-defender"
},
{
"name": "amazon:inspector:sbom_scanner:path",
"value": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0"
}
]
}
],
"serialNumber": "urn:uuid:6bed582d-191e-4cb7-9875-950dd0b99700",
"bomFormat": "CycloneDX",
"vulnerabilities": [
{
"advisories": [
{
"url": "https://support.microsoft.com/help/5011487"
},
{
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
],
"bom-ref": "vuln-1",
"references": [
{
"id": "CVE-2022-23278",
"source": {
"name": "MICROSOFT",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23278"
}
}
],
"ratings": [
{
"severity": "none",
"score": 0.02691,
"method": "other",
"vector": "model:v2025.03.14,date:2026-03-15T12:55:00Z",
"source": {
"name": "EPSS",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23278"
}
},
{
"severity": "medium",
"score": 5.9,
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
}
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"ref": "comp-1"
}
],
"id": "KB5011487",
"source": {
"name": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
},
"published": "2022-03-08T08:00:00Z",
"analysis": {
"state": "in_triage"
},
"properties": [
{
"name": "amazon:inspector:sbom_scanner:priority",
"value": "standard"
},
{
"name": "amazon:inspector:sbom_scanner:priority_intelligence",
"value": "unverified"
},
{
"name": "amazon:inspector:sbom_scanner:fixed_version:comp-1",
"value": "10.0.19042.1586"
}
]
}
]
}
}
```
### Contoh output format Inspector - Linux
```
{
"status": "SBOM parsed successfully, 1 vulnerability found",
"inspector": {
"messages": [
{
"name": "foo",
"purl": "pkg:maven/foo@1.0.0", // Will not exist in output if missing in sbom
"info": "Component skipped: no rules found."
}
],
"vulnerability_count": {
"critical": 1,
"high": 0,
"medium": 0,
"low": 0
},
"vulnerabilities": [
{
"id": "CVE-2021-44228",
"severity": "critical",
"source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"related": [
"GHSA-jfh8-c2jp-5v3q"
],
"description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.",
"references": [
"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html",
"https://support.apple.com/kb/HT213189",
"https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
"https://logging.apache.org/log4j/2.x/security.html",
"https://www.debian.org/security/2021/dsa-5020",
"https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf",
"https://www.oracle.com/security-alerts/alert-cve-2021-44228.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/",
"https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf",
"https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://twitter.com/kurtseifried/status/1469345530182455296",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd",
"https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html",
"https://www.kb.cert.org/vuls/id/930724"
],
"created": "2021-12-10T10:15:00Z",
"updated": "2023-04-03T20:15:00Z",
"properties": {
"cisa_kev_date_added": "2021-12-10T00:00:00Z",
"cisa_kev_date_due": "2021-12-24T00:00:00Z",
"cwes": [
400,
20,
502
],
"cvss": [
{
"source": "NVD",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss2_base_score": 9.3,
"cvss2_base_vector": "AC:M/Au:N/C:C/I:C/A:C"
},
{
"source": "GITHUB",
"severity": "critical",
"cvss3_base_score": 10.0,
"cvss3_base_vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
}
],
"epss": 0.97565,
"exploit_available": true,
"exploit_last_seen_in_public": "2023-03-06T00:00:00Z"
},
"affects": [
{
"installed_version": "pkg:maven/org.apache.logging.log4j/log4j-core@2.12.1",
"fixed_version": "2.15.0",
"path": "/home/dev/foo.jar"
}
]
}
]
}
}
```
### Contoh output format Inspector - Windows
```
{
"sbom": {
"vulnerabilities": [
{
"severity": "medium",
"priority_intelligence": "unverified",
"related": [
"CVE-2022-23278"
],
"references": [
"https://support.microsoft.com/help/5011487",
"https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
],
"created": "2022-03-08T08:00:00Z",
"description": "Security Update for Defender (2022-03). Install KB5011487 to remediate. A reboot is required for this update to take effect.",
"affects": [
{
"path": "vol-0d994b0984fdaa2af:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.25110.5-0",
"fixed_version": "10.0.19042.1586",
"installed_version": "pkg:generic/microsoft/defender@4.18.25110.5"
}
],
"id": "KB5011487",
"source": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487",
"published": "2022-03-08T08:00:00Z",
"priority": "standard",
"properties": {
"epss": 0.0269099995,
"cvss": [
{
"severity": "medium",
"cvss_3_base_score": 5.9000000954,
"cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "MICROSOFT",
"url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5011487"
}
]
}
}
],
"vulnerability_count": {
"high": 0,
"other": 0,
"critical": 0,
"low": 0,
"medium": 1
}
}
}
```