This week at the AWS Summit Sydney 2025 I had the privilege of speaking in the Developer Lounge about a topic that’s close to my heart: baking security straight into the CI pipeline.
In this post I’ll recap the session and leave you with practical next-steps you can put into production today.
TL;DR
Scan early, scan often, scan cheaply. With Amazon Inspector, GitHub Actions, and a few well-placed network controls you can catch vulnerabilities before they ever reach a cluster—often for around $0.01 a scan and in ~10 seconds.
Why Container Security Still Hurts 🔍
87 % of production container images contain critical or high-severity vulnerabilities (Sysdig Cloud-Native Security Report 2023). The reasons are familiar:
- Upstream code moves fast – new CVEs land daily.
- Images live long – they’re rebuilt far less frequently than source.
- Runtime drift is opaque – knowing exactly what’s running when a zero-day drops is hard.
The goal: bring continuous, automated vulnerability insight into the developer feedback loop, instead of treating it as an after-thought.
The Stack I Showcased ⚙️
| Layer | What We Used | Why It Matters |
|---|---|---|
| CI | GitHub Actions | Native for most teams; easy to extend with Marketplace actions. |
| Scanning | Amazon Inspector GitHub Action | Full CVE scan + SBOM (CycloneDX) creation in one step. |
| Scheduling | GitHub Actions – cron | Daily rebuilds keep “known-good” images fresh. |
| Cost | ≈ AUD 0.015 / scan | Cheap enough to run every build. |
| Network guard-rails | VPC Interface Endpoints, AWS Network Firewall & Route 53 DNS Firewall | Ensure only approved images are pulled, and egress is controlled. |
| Posture visibility | AWS Security Hub | See which ECR images are vulnerable. |
| Dependency hygiene | Renovate Bot | Automated PRs to keep base images & libraries current. |
| AI code reviews | Amazon Q Developer for GitHub (preview) | Inline suggestions & security insights on every PR. |
All the code is open-source here → https://github.com/tnhtnh/container-pipeline-sydney-summit-2025
Walkthrough: The Secure Pipeline in Action 🚀
1. Set the risk for the workload
env:
AWS_REGION: ${{ vars.AWS_REGION || 'ap-southeast-2' }}
ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY || 'my-ecr-repo' }}
CRITICAL_THRESHOLD: ${{ vars.CRITICAL_THRESHOLD || 0 }}
HIGH_THRESHOLD: ${{ vars.HIGH_THRESHOLD || 0 }}
MEDIUM_THRESHOLD: ${{ vars.MEDIUM_THRESHOLD || 10 }}
LOW_THRESHOLD: ${{ vars.LOW_THRESHOLD || 10 }}
OTHER_THRESHOLD: ${{ vars.OTHER_THRESHOLD || 20 }}
2. Build the Image
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: false
build-args: |
GIT_SHA=${{ github.sha }}
tags: |
${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
3. Scan with Amazon Inspector
- name: Scan built image with Inspector
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
id: inspector
with:
artifact_type: 'container'
artifact_path: '${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}'
critical_threshold: ${{ env.CRITICAL_THRESHOLD }}
high_threshold: ${{ env.HIGH_THRESHOLD }}
medium_threshold: ${{ env.MEDIUM_THRESHOLD }}
low_threshold: ${{ env.LOW_THRESHOLD }}
other_threshold: ${{ env.OTHER_THRESHOLD }}
Average runtime during the demo: *~10 seconds***.
4. Fail the job if it exceeds my risk threshold
- name: Fail job if vulnerability threshold is exceeded
run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
Pro tip: Add a scheduled workflow (
schedule: cron: "0 2 * * *") to rebuild daily. If a new CVE surfaces, the pipeline fails and you’re notified immediately—long before it hits prod.
Beyond CI: Defence-in-Depth 🛡️
| Control | What It Does | Quick Win |
|---|---|---|
| VPC Interface Endpoints (ECR) | Keep image pulls on private links; block public Internet. | Enable com.amazonaws.<region>.ecr.dkr in your build VPC. |
| AWS Network Firewall | Enforce allow-lists / Suricata rules for egress. | Deny outbound traffic to public Docker Hub. |
| Route 53 DNS Firewall | Policy-based DNS filtering. | Block wildcard *.docker.io except the repos you explicitly mirror. |
Combine these with Security Hub’s Inspector container findings to answer, “Which running tasks are based on image X?” in seconds.
Cost & Performance Numbers 💰
| Item | Cost (Sydney) | Notes |
|---|---|---|
| On-demand image scan | ≈ AUD 0.015 | First 1000 / mo on Free Tier. |
| Continuous re-scan | ≈ AUD 0.003 | When using ECR continuous scanning. |
| Build time impact | + ~10 s | Scales with image size; cache your layers! |
For most teams the spend is pennies compared to the blast-radius of shipping a vulnerable container.
Pulling It All Together 🧩
- Fork the demo repo and adapt the workflow to your project.
- Set your thresholds—zero criticals in prod, relaxed for dev.
- Schedule daily (or hourly) rebuilds to detect new CVEs fast.
- Lock down egress with VPC endpoints & firewalls.
- Enable Security Hub for a single pane of glass across Inspector, GuardDuty, and more.
- Let Renovate & Amazon Q Developer keep dependencies—and your colleagues—honest.
Follow me on LinkedIn for updates, and if you tried the pipeline, tell me how it went—I’d love to feature real-world lessons in a future post!
✨ Resources
- GitHub repo – https://github.com/tnhtnh/container-pipeline-sydney-summit-2025
- AWS Blog – Inspector ↔️ running-container mapping announcement https://aws.amazon.com/blogs/aws/amazon-inspector-enhances-container-security-by-mapping-amazon-ecr-images-to-running-containers/
- Amazon Q Developer for GitHub (preview) https://aws.amazon.com/blogs/aws/amazon-q-developer-in-github-now-in-preview-with-code-generation-review-and-legacy-transformation-capabilities/
🙏 A big Thank You
Thank you to Community Builders team, especially Shafraz Rahim for allowing me to share my knowledge on container security to the group at Summit. And thank you to Stephen Sennett for being the Community Builder Community Advocate for the class of AWS Sydney Summit 2025!
Final Thoughts
Security shouldn’t slow developers down—it should empower them to ship with confidence.
With Amazon Inspector costing about the same as a few kilobytes of S3 storage, there’s no excuse not to give every container the green light before it heads to production.
See you at the next event, and happy (secure) building!
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.