Skip to content

AWS Security Hub

Amazon Security Hub

Upload findings to Security Hub

In the following example using the template asff.tpl, ASFF file can be generated.

$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine

ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.

The Product ARN field follows the pattern below to match what AWS requires for the product resource type.

"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",

In order to upload results you must first run enable-import-findings-for-product like:

aws securityhub enable-import-findings-for-product --product-arn arn:aws:securityhub:<AWS_REGION>::product/aquasecurity/aquasecurity

The findings are formatted for the API with a key of Findings and a value of the array of findings. In order to upload via the CLI the outer wrapping must be removed being left with only the array of findings. The easiest way of doing this is with the jq library using the command

cat report.asff | jq '.Findings'

Then, you can upload it with AWS CLI.

$ aws securityhub batch-import-findings --findings file://report.asff

Note

The batch-import-findings command limits the number of findings uploaded to 100 per request. The best known workaround to this problem is using jq to run the following command

jq '.[:100]' report.asff 1> short_report.asff

Customize

You can customize asff.tpl

$ export AWS_REGION=us-west-1
$ export AWS_ACCOUNT_ID=123456789012
$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine

Reference

aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/