Skip to main content
Version: 2.0 🆕

Security Integration (AWS Inspector)

Introduction​

In addition to the built-in Trivy and Clair scanners, Devtron lets you integrate external security tools for image vulnerability scanning. Amazon Inspector is one such tool, integrated through Devtron's generic scan-tool framework.

When AWS Inspector is enabled, Devtron generates a Software Bill of Materials (SBOM) for the container image built by your pipeline and sends that SBOM to Amazon Inspector for vulnerability analysis. The findings returned by Amazon Inspector are normalized and surfaced in Devtron exactly like Trivy/Clair results — in the Security tab of the build/deployment — and can be enforced through Security Policies.

Devtron's scanning is pluggable

AWS Inspector is not hardcoded into Devtron. It is registered using the same generic scan-tool framework that any tool can use. A scan tool in Devtron is simply a scan tool metadata entry plus a scan plugin. This means you can integrate your own scanning tool the same way AWS Inspector is integrated — see Integrating Your Own Scan Tool.


How AWS Inspector Scanning Works​

Understanding the flow helps in configuring the integration correctly:

  1. Image build – A CI (build) pipeline builds and pushes your container image. Scanning runs when Scan for vulnerabilities is enabled on the pipeline (or enforced globally).

  2. SBOM generation – Devtron's image scanner generates a Software Bill of Materials (SBOM) — an inventory of the OS packages and application dependencies present in the image. This step is bounded by the sbomGenerationTimeout.

  3. Inspector scan – The generated SBOM is submitted to Amazon Inspector (using the AWS credentials and region you configured). Inspector analyzes the SBOM against its vulnerability intelligence and returns the findings. This step is bounded by the scanningTimeout.

  4. Normalization – Devtron maps Amazon Inspector's raw response into its standard scan-result format using the tool's resultDescriptorTemplate, so the findings render consistently with other scanners.

  5. Result & policy enforcement – The findings are stored against the image and shown in the Security tab. Security Policies can then automatically allow or block the deployment based on the severity of detected vulnerabilities.

SBOM-based scanning

Because AWS Inspector scans an SBOM (not the running image), the IAM identity you provide needs permission to submit an SBOM for scanning to Amazon Inspector. No agent needs to be installed in your cluster.


Prerequisites​

Before enabling AWS Inspector, ensure the following:

  • AWS account with Amazon Inspector available in the region you intend to use. See the Amazon Inspector getting-started guide.
  • IAM credentials (access key and secret key) for an identity that has permission to submit an SBOM to Amazon Inspector for scanning (the Amazon Inspector SBOM scan action, e.g., inspector-scan:ScanSbom). Grant least-privilege permissions scoped to this action.
  • Build and Deploy (CI/CD) integration installed. For Enterprise, this is installed by default; OSS users must install it from Devtron Stack Manager.
  • Super-admin access to Devtron, since registering/enabling a scan tool is a global operation.

Enable AWS Inspector​

AWS Inspector is an Enterprise integration. To enable it for your Devtron setup, contact your Devtron representative or support@devtron.ai. If you self-manage Devtron Enterprise, the integration is enabled by supplying the AWS Inspector configuration to Devtron (described below) and registering the scan tool.

AWS Inspector Configuration​

Devtron authenticates with Amazon Inspector using a JSON configuration. Provide the following values:

FieldTypeRequiredDefaultDescription
awsRegionstringYes—The AWS region in which Amazon Inspector is used, e.g., us-east-2.
accessKeystringYes—Access key of the IAM identity used to authenticate with Amazon Inspector.
secretKeystringYes—Secret key of the IAM identity used to authenticate with Amazon Inspector.
sbomGenerationTimeoutint (minutes)No10Maximum time allowed to generate the SBOM for the image.
scanningTimeoutint (minutes)No10Maximum time allowed for Amazon Inspector to scan the SBOM.

Example configuration:

{
"awsRegion": "us-east-2",
"accessKey": "AKIAXXXXXXXXXXXXXXXX",
"secretKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"sbomGenerationTimeout": 10,
"scanningTimeout": 10
}
Keep credentials secure

Treat accessKey and secretKey as secrets. Use an IAM identity with least-privilege permissions limited to Amazon Inspector SBOM scanning, and rotate the keys periodically.


Scanning an Image with AWS Inspector​

Once AWS Inspector is enabled:

  1. Go to your application's Configurations → Workflow Editor and edit (or create) the build pipeline.

  2. In the build pipeline's advanced options, enable Scan for vulnerabilities.

    info

    If image scanning is enforced globally by your administrator, the scan runs on every build and this toggle may be locked on.

  3. Trigger the build. After the image is built, Devtron generates the SBOM and scans it via Amazon Inspector as described in How AWS Inspector Scanning Works.


Viewing Scan Results​

Once an image is scanned, the vulnerabilities detected by Amazon Inspector appear in the Security tab of the build/app, alongside the scan tool name and a severity breakdown (Critical/High/Medium/Low). Based on these results, Security Policies can automatically allow or block deployments.

Refer to Security Features to learn more about viewing scan results and enforcing policies.


Integrating Your Own Scan Tool​

Devtron's scanning is built on a generic scan-tool framework, so AWS Inspector, Trivy, and Clair are all integrated the same way. You can register your own scanning tool by supplying two things in a single registration request: scan tool metadata and a scan plugin.

Who Can Perform This Action?

Registering a scan tool is a global operation and can only be performed by a super-admin.

1. Scan Tool Metadata​

This describes the tool to Devtron and how to interpret its output.

FieldRequiredDescription
nameYesName of the scanning tool, e.g., AWS INSPECTOR. The name + version combination must be unique.
versionYesVersion of the tool, e.g., V1.
scanTargetYesWhat the tool scans. Currently IMAGE is supported.
resultDescriptorTemplateYesA template that maps the tool's raw output into the standard result format Devtron uses to render vulnerabilities.
scanToolUrlNoIcon/logo URL shown next to the tool in Devtron's UI.
serverBaseUrlNoBase URL of the scanning service, if the tool talks to an external server.
toolMetaDataNoAny additional tool-specific metadata.

2. Scan Plugin​

This is the executable logic that actually runs the scan. It is built on Devtron's base plugin devtron-image-scanning-integrator, and defines the steps and input variables (such as image reference, credentials, or region) required to run your scanner. The plugin runs during the pipeline, and its output is converted into Devtron's standard scan result using the resultDescriptorTemplate from the metadata.

FieldRequiredDescription
nameYesDisplay name of the plugin (3–100 characters).
pluginIdentifierYesUnique identifier for the plugin (3–100 characters).
pluginVersionYesVersion of the plugin (3–50 characters).
descriptionNoBrief description of what the plugin does (max 300 characters).
pluginStepsYesThe ordered steps (and their input variables) the plugin executes to perform the scan.

Registration API​

Scan tools are registered through the following super-admin API:

POST /orchestrator/scan-tool/register

Example request body:

{
"scanToolMetadata": {
"name": "AWS INSPECTOR",
"version": "V1",
"scanTarget": "IMAGE",
"scanToolUrl": "https://cdn.devtron.ai/images/ic-aws-inspector.webp",
"resultDescriptorTemplate": "<template that maps the tool output to Devtron's result format>"
},
"scanToolPluginMetadata": {
"name": "AWS Inspector Scanner",
"pluginIdentifier": "aws-inspector-scanner",
"pluginVersion": "1.0.0",
"description": "Scans container images using Amazon Inspector",
"pluginSteps": [
{
"...": "plugin step definition, based on devtron-image-scanning-integrator"
}
]
}
}
Preset vs. custom tools

Devtron-provided tools such as Trivy and Clair are marked as preset tools (is_preset = true). Tools you register yourself are marked as custom tools (is_preset = false). Both behave identically once integrated; the flag only distinguishes tools shipped by Devtron from those added by users.

Notes and Limitations​

  • scanTarget currently supports IMAGE scanning.
  • The name + version pair must be unique across all registered scan tools.
  • The quality of the rendered results depends on your resultDescriptorTemplate correctly mapping the tool's output fields (such as CVE ID, severity, and package) to Devtron's standard format.

To integrate a custom scanning tool for your organization, reach out to support@devtron.ai.