This repository is used to demo building a dockerized application intended to be run on AWS ECS Fargate and leveraging CrowdStrike Falcon Container sensor to protect the application at runtime.
The Actions workflow demo file does the following:
- Checks out a copy of this repository
- Scans the repository with the Falcon Cloud Security Infrastructure as Code Scanner and uploads the resulting SARIF file
- Builds and tags the Dockerfile
- Scans the resulting image with CrowdStrike container image scanner service to check for Vulnerabilities/Malware/Secrets
- Logs into AWS & ECR
- Pushes the container image which was built to ECR
- Pulls a copy of the Falcon Container image to perform the patching steps
- Sample 1 - Patch an ECS Task definition JSON schema file taskdefinition.json then uploads to patch definition to the ECS service using the
aws ecs register-task-definitioncommand syntax - Sample 2 - Patch an AWS CloudFormation template cloudformation.yaml then uploads the modified templates to the AWS CloudFormation service using the
aws cloudformation create-change-setcommand syntax
Both methods injects the additional resources CrowdStrike requires which includes the following with each Task/ContainerDefinition within the templates:
- Adds additional volumes for CrowdStrike resources
- CrowdStrike init container (configures volumes and copies required files)
- Sets DependsOn statements to ensure init container finishes before starting application containers
- Adds the mount points to the users containers to be protected
- Modifies the Entrypoint/CMD values to load CrowdStrike before the containers entrypoint (the patching utility queries the image using manifest at time of patching if not already specified within the template)
- Enables the SYS_PTRACE Linux Capability in each protected container
For more information refer to the official Documentation available within the Falcon platform for your respective Falcon cloud: US-1 US-2 EU-1