DEV Community

Cover image for From the Developer Lounge: Building a Secure Container Pipeline with Amazon Inspector & GitHub Actions at AWS Sydney Summit 2025

From the Developer Lounge: Building a Secure Container Pipeline with Amazon Inspector & GitHub Actions at AWS Sydney Summit 2025

This week at the AWS Summit Sydney 2025 I had the privilege of speaking in the Developer Lounge about a topic that’s close to my heart: baking security straight into the CI pipeline.
In this post I’ll recap the session and leave you with practical next-steps you can put into production today.

TL;DR
Scan early, scan often, scan cheaply. With Amazon Inspector, GitHub Actions, and a few well-placed network controls you can catch vulnerabilities before they ever reach a cluster—often for around $0.01 a scan and in ~10 seconds.

AWS Sydney Summit 2025


Why Container Security Still Hurts 🔍

87 % of production container images contain critical or high-severity vulnerabilities (Sysdig Cloud-Native Security Report 2023). The reasons are familiar:

  1. Upstream code moves fast – new CVEs land daily.
  2. Images live long – they’re rebuilt far less frequently than source.
  3. Runtime drift is opaque – knowing exactly what’s running when a zero-day drops is hard.

The goal: bring continuous, automated vulnerability insight into the developer feedback loop, instead of treating it as an after-thought.


The Stack I Showcased ⚙️

Layer What We Used Why It Matters
CI GitHub Actions Native for most teams; easy to extend with Marketplace actions.
Scanning Amazon Inspector GitHub Action Full CVE scan + SBOM (CycloneDX) creation in one step.
Scheduling GitHub Actions – cron Daily rebuilds keep “known-good” images fresh.
Cost ≈ AUD 0.015 / scan Cheap enough to run every build.
Network guard-rails VPC Interface Endpoints, AWS Network Firewall & Route 53 DNS Firewall Ensure only approved images are pulled, and egress is controlled.
Posture visibility AWS Security Hub See which ECR images are vulnerable.
Dependency hygiene Renovate Bot Automated PRs to keep base images & libraries current.
AI code reviews Amazon Q Developer for GitHub (preview) Inline suggestions & security insights on every PR.

All the code is open-source here → https://github.com/tnhtnh/container-pipeline-sydney-summit-2025


Walkthrough: The Secure Pipeline in Action 🚀

1. Set the risk for the workload

env:
  AWS_REGION: ${{ vars.AWS_REGION || 'ap-southeast-2' }}
  ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY || 'my-ecr-repo' }}
  CRITICAL_THRESHOLD: ${{ vars.CRITICAL_THRESHOLD || 0 }}
  HIGH_THRESHOLD: ${{ vars.HIGH_THRESHOLD || 0 }}
  MEDIUM_THRESHOLD: ${{ vars.MEDIUM_THRESHOLD || 10 }}
  LOW_THRESHOLD: ${{ vars.LOW_THRESHOLD || 10 }}
  OTHER_THRESHOLD: ${{ vars.OTHER_THRESHOLD || 20 }}
Enter fullscreen mode Exit fullscreen mode

2. Build the Image


      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          push: false
          build-args: |
            GIT_SHA=${{ github.sha }}
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
Enter fullscreen mode Exit fullscreen mode

3. Scan with Amazon Inspector

      - name: Scan built image with Inspector
        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1
        id: inspector
        with:
          artifact_type: 'container'
          artifact_path: '${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}'
          critical_threshold: ${{ env.CRITICAL_THRESHOLD }}
          high_threshold: ${{ env.HIGH_THRESHOLD }}
          medium_threshold: ${{ env.MEDIUM_THRESHOLD }}
          low_threshold: ${{ env.LOW_THRESHOLD }}
          other_threshold: ${{ env.OTHER_THRESHOLD }}
Enter fullscreen mode Exit fullscreen mode

Average runtime during the demo: *~10 seconds***.

4. Fail the job if it exceeds my risk threshold

      - name: Fail job if vulnerability threshold is exceeded
        run: exit ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }}
Enter fullscreen mode Exit fullscreen mode

Pro tip: Add a scheduled workflow (schedule: cron: "0 2 * * *") to rebuild daily. If a new CVE surfaces, the pipeline fails and you’re notified immediately—long before it hits prod.


Beyond CI: Defence-in-Depth 🛡️

Control What It Does Quick Win
VPC Interface Endpoints (ECR) Keep image pulls on private links; block public Internet. Enable com.amazonaws.<region>.ecr.dkr in your build VPC.
AWS Network Firewall Enforce allow-lists / Suricata rules for egress. Deny outbound traffic to public Docker Hub.
Route 53 DNS Firewall Policy-based DNS filtering. Block wildcard *.docker.io except the repos you explicitly mirror.

Combine these with Security Hub’s Inspector container findings to answer, “Which running tasks are based on image X?” in seconds.


Cost & Performance Numbers 💰

Item Cost (Sydney) Notes
On-demand image scan ≈ AUD 0.015 First 1000 / mo on Free Tier.
Continuous re-scan ≈ AUD 0.003 When using ECR continuous scanning.
Build time impact + ~10 s Scales with image size; cache your layers!

For most teams the spend is pennies compared to the blast-radius of shipping a vulnerable container.


Pulling It All Together 🧩

  1. Fork the demo repo and adapt the workflow to your project.
  2. Set your thresholds—zero criticals in prod, relaxed for dev.
  3. Schedule daily (or hourly) rebuilds to detect new CVEs fast.
  4. Lock down egress with VPC endpoints & firewalls.
  5. Enable Security Hub for a single pane of glass across Inspector, GuardDuty, and more.
  6. Let Renovate & Amazon Q Developer keep dependencies—and your colleagues—honest.

Follow me on LinkedIn for updates, and if you tried the pipeline, tell me how it went—I’d love to feature real-world lessons in a future post!


✨ Resources

🙏 A big Thank You

Thank you to Community Builders team, especially Shafraz Rahim for allowing me to share my knowledge on container security to the group at Summit. And thank you to Stephen Sennett for being the Community Builder Community Advocate for the class of AWS Sydney Summit 2025!


Final Thoughts

Security shouldn’t slow developers down—it should empower them to ship with confidence.
With Amazon Inspector costing about the same as a few kilobytes of S3 storage, there’s no excuse not to give every container the green light before it heads to production.

See you at the next event, and happy (secure) building!

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.