Hey everyone,
I've been using AWS ECR without any issues, but now I'm starting a project with a client in a regulated environment, and it's clear that just having a registry isn't enough. They have specific requirements like how we can confirm an image was built in GitHub Actions, how to prove there were no manual pushes, where the scan results are stored, and how we can provide evidence during audits. Using ECR feels like I'm piecing together a bunch of different services, and I'm not confident that I can provide solid answers to their questions. Has anyone else encountered this? Did you stick with ECR or switch to a different solution? How challenging was the migration, and what would you do differently if you had to go through this again?
5 Answers
You might want to check out tools like Sonatype or JFrog Artifactory. JFrog tends to be pricier but offers security scanning and trust evidence, as well as SBOMs all in one place, which really cuts down on the need to connect multiple tools. Plus, it supports various types of artifacts, like npm, Python, and Java, streamlining your entire supply chain.
Your client is clearly looking for SBOM capabilities, which ECR lacks, so consider that in your discussions with them.
All of those concerns can actually be addressed using AWS ECR along with other AWS services. Things like image signing, tag immutability, continuous scanning, and maintaining audit artifacts are all supported. Usually, teams employ a third-party compliance tool that can guide you based on the required frameworks. The trickiest part may actually come from GitHub Actions depending on the compliance framework your client has in mind.
You're likely going to have to stitch things together no matter what registry you choose. I’m curious—what do they mean by wanting proof of images built in GitHub Actions? If the goal is to verify integrity, they could just sign the images that they built. If they didn’t build them, does it really matter if they were built with GitHub Actions? Cloud migration can be easier than you think; you can mirror the existing ECR registry to another service like ZOT or Harbor and just point your consumer artifacts to the new location.
Consider looking into image signing and verification solutions like Sigstore or Notary. Don't overlook having an SBOM (Software Bill of Materials) and provenance details either.
Exactly! They mentioned needing a build provenance as evidence too, which is super important.