feat: upgrade AWS SDK and switch to AWS native basic scanning#33
Merged
Andrey9kin merged 3 commits intomasterfrom Feb 12, 2026
Merged
feat: upgrade AWS SDK and switch to AWS native basic scanning#33Andrey9kin merged 3 commits intomasterfrom
Andrey9kin merged 3 commits intomasterfrom
Conversation
Migrate from deprecated Clair-based ECR scanning to AWS native basic scanning, which became the default after Clair deprecation on Feb 2, 2026. Core changes: - Upgrade AWS SDK Go v2 (v1.16.7 -> v1.41.1, ECR service v1.17.8 -> v1.55.1) - Upgrade Go from 1.14 to 1.24 - Add retry logic for ScanNotFoundException to handle scan initiation delay with AWS native scanning (up to 5 min with 15s intervals) - Add pagination for DescribeImageScanFindings to collect all findings - Handle both Clair UnsupportedImageError and AWS native ScanNotFoundException for unscannable images (e.g. scratch) Dependency upgrades (cascading from Go/SDK bump): - Docker client library v20.10.17 -> v28.5.2 (new type import paths) - distribution/reference extracted to github.com/distribution/reference - urfave/cli v2.10.3 -> v2.27.7 - tablewriter v0.0.5 -> v1.1.3 (new API: Header, Append, Render) CI and tooling: - GitHub Actions: checkout v4, setup-go v5, goreleaser v6, golangci-lint v6, codeql v3 - golangci-lint v1.46.2 -> v2.9.0, fix errcheck findings - goreleaser --rm-dist -> --clean (renamed flag) - Workflows trigger on both master and main branches Test suite: - Replace deprecated resin/scratch with locally built scratch image - Switch from old Alpine to python:3.13 (Debian-based) for CVE tests - Fix negative tests to properly exit 1 on unexpected pass Co-authored-by: Cursor <cursoragent@cursor.com>
- docker.go: simplify imageTag to direct return, remove redundant else
after return in getImageIdFromDockerDaemonJsonMessages
- ecr.go: use slices.Contains in IsFindingIgnored and
AreSeverityLevelsValid, simplify GetECRClient to direct return,
extract newUnsupportedImageFinding helper to reduce duplication
- helpers.go: use map[string]struct{} instead of map[string]bool in
dedupList for idiomatic set semantics, simplify variable names
- junit.go: simplify time.Duration(1) * time.Second to time.Second
Co-authored-by: Cursor <cursoragent@cursor.com>
Andrey9kin
force-pushed
the
feat/aws-native-scanning-sdk-upgrade
branch
from
3f5d0f3 to
95f568d
Compare
Upgrade all indirect/transitive dependencies to their latest versions: - Azure/go-ansiterm: 2021-06-17 -> 2025-01-02 - Microsoft/go-winio: v0.5.2 -> v0.6.2 - clipperhouse/displaywidth: v0.6.2 -> v0.10.0 - clipperhouse/uax29/v2: v2.3.0 -> v2.6.0 - docker/go-connections: v0.4.0 -> v0.6.0 - docker/go-units: v0.4.0 -> v0.5.0 - moby/term: 2021-06-19 -> v0.5.2 - morikuni/aec: v1.0.0 -> v1.1.0 - olekukonko/errors: v1.1.0 -> v1.2.0 - olekukonko/ll: v0.1.4-pre -> v0.1.5 - opencontainers/image-spec: v1.0.3-pre -> v1.1.1 - xrash/smetrics: 2024-05-21 -> 2025-07-05 - golang.org/x/net: v0.49.0 -> v0.50.0 - golang.org/x/sys: v0.40.0 -> v0.41.0 Removed unused clipperhouse/stringish indirect dependency. Co-authored-by: Cursor <cursoragent@cursor.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| continue | ||
| } | ||
| // Exhausted retries - treat as unsupported image | ||
| return newUnsupportedImageFinding("Image scan does not exist - image is not supported for scanning"), nil |
There was a problem hiding this comment.
Exhausted scan retries silently treated as unsupported image
Medium Severity
When ScanNotFoundException retries are exhausted after 5 minutes, the code returns an ECR_ERROR_UNSUPPORTED_IMAGE finding with a nil error instead of returning an error. This conflates "scan genuinely delayed or AWS service issue" with "image is unscannable." Users who ignore ECR_ERROR_UNSUPPORTED_IMAGE (as recommended for scratch images) would silently pass unscanned images through the security gate if the scan fails to initiate due to a transient AWS issue. Returning an error here would be safer, with a separate mechanism to detect truly unscannable images.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrate from deprecated Clair-based ECR scanning to AWS native basic scanning (default since Feb 2, 2026). Upgrade AWS SDK Go v2 and all cascading dependencies to current versions.
Changes
Core
ScanNotFoundExceptionto handle scan initiation delay with AWS native scanningDescribeImageScanFindingsto collect all findings across pagesUnsupportedImageErrorand AWS nativeScanNotFoundExceptionfor unscannable imagesDependencies (cascading from Go/SDK bump)
distribution/referenceextracted togithub.com/distribution/referenceCI and Tooling
--rm-dist->--cleanmasterandmainbranchesTests
resin/scratchwith locally built scratch imagepython:3.13(Debian-based) for CVE testsexit 1on unexpected passTesting
go vetpasses cleanChecklist
go vetpassesMade with Cursor
Note
Medium Risk
Changes core ECR scan waiting/handling behavior and bumps major dependencies (AWS SDK, Docker client, Go), which could alter scan outcomes or push/scan interactions despite being straightforward.
Overview
Migrates scan-result collection to work reliably with AWS native basic scanning by retrying the scan waiter on
ScanNotFoundException, treating persistent scan absence as an unsupported-image finding, and paginatingDescribeImageScanFindingsto return complete results.Modernizes the project by upgrading to Go
1.24, updating the AWS SDK v2/ECR client and Docker client APIs, and adjusting output/error-handling patterns (e.g., close/append/render errcheck fixes and newertablewriter/distribution/referenceusage).Updates automation and docs: GitHub Actions now run on
masterandmain, bump action versions (checkout/setup-go/goreleaser/golangci-lint/codeql), refresh the linter image, update integration tests to usepython:3.13and a locally built scratch image, and bump documentation/changelog tov0.7.0.Written by Cursor Bugbot for commit 622e992. This will update automatically on new commits. Configure here.