feat(bootstrap): option to scan container asset images

packages/aws-cdk/bin/cdk.ts

@@ -79,6 +79,7 @@ async function parseCommandLineArguments() {
       .option('bootstrap-customer-key', { type: 'boolean', desc: 'Create a Customer Master Key (CMK) for the bootstrap bucket (you will be charged but can customize permissions, modern bootstrapping only)', default: undefined, conflicts: 'bootstrap-kms-key-id' })
       .option('qualifier', { type: 'string', desc: 'Unique string to distinguish multiple bootstrap stacks', default: undefined })
       .option('public-access-block-configuration', { type: 'boolean', desc: 'Block public access configuration on CDK toolkit bucket (enabled by default) ', default: undefined })
+      .option('container-asset-scan-on-push', { type: 'boolean', desc: 'Scan container asset images on push on CDK toolkit ECR (disabled by default)', default: false })
       .option('tags', { type: 'array', alias: 't', desc: 'Tags to add for the stack (KEY=VALUE)', nargs: 1, requiresArg: true, default: [] })
       .option('execute', { type: 'boolean', desc: 'Whether to execute ChangeSet (--no-execute will NOT execute the ChangeSet)', default: true })
       .option('trust', { type: 'array', desc: 'The AWS account IDs that should be trusted to perform deployments into this environment (may be repeated, modern bootstrapping only)', default: [], nargs: 1, requiresArg: true })

packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts

@@ -144,6 +144,7 @@ export class Bootstrapper {
         CloudFormationExecutionPolicies: cloudFormationExecutionPolicies.join(','),
         Qualifier: params.qualifier,
         PublicAccessBlockConfiguration: params.publicAccessBlockConfiguration || params.publicAccessBlockConfiguration === undefined ? 'true' : 'false',
+        ContainerAssetScanOnPush: params.containerAssetScanOnPush === undefined ? 'false' : params.containerAssetScanOnPush ? 'true' : 'false',
       }, {
         ...options,
         terminationProtection: options.terminationProtection ?? current.terminationProtection,

packages/aws-cdk/lib/api/bootstrap/bootstrap-props.ts

@@ -101,4 +101,11 @@ export interface BootstrappingParameters {
    */
   readonly publicAccessBlockConfiguration?: boolean;
 
+  /**
+   * Whether or not to enable image scanning on push for the container assets ECR repository
+   *
+   * @default false
+   */
+  readonly containerAssetScanOnPush?: boolean;
+
 }

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -42,6 +42,11 @@ Parameters:
     Default: 'true'
     Type: 'String'
     AllowedValues: ['true', 'false']
+  ContainerAssetScanOnPush:
+    Description: Whether or not to enable image scanning on push for the container assets ECR repository
+    Default: 'false'
+    Type: 'String'
+    AllowedValues: [ 'true', 'false' ]
 Conditions:
   HasTrustedAccounts:
     Fn::Not:
@@ -207,6 +212,9 @@ Resources:
           - HasCustomContainerAssetsRepositoryName
           - Fn::Sub: "${ContainerAssetsRepositoryName}"
           - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
+      ImageScanningConfiguration:
+        ScanOnPush:
+          Ref: ContainerAssetScanOnPush
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties:

packages/aws-cdk/test/api/bootstrap2.test.ts

@@ -329,4 +329,32 @@ describe('Bootstrapping v2', () => {
       }));
     });
   });
+
+  describe('Scan on push', () => {
+    test.each([
+      // no scan on push parameter passed
+      [undefined, 'false'],
+      // passed as true
+      [true, 'true'],
+      // passed as false
+      [false, 'false'],
+    ])('containerAssetScanOnPush=%p => parameter becomes %p', async (containerAssetScanOnPush, execptedSetting) => {
+      // GIVEN
+      // mockTheToolkitInfo({});
+
+      // WHEN
+      await bootstrapper.bootstrapEnvironment(env, sdk, {
+        parameters: {
+          containerAssetScanOnPush,
+        },
+      });
+
+      // THEN
+      expect(mockDeployStack).toHaveBeenCalledWith(expect.objectContaining({
+        parameters: expect.objectContaining({
+          ContainerAssetScanOnPush: execptedSetting,
+        }),
+      }));
+    });
+  });
 });