Auto-Filter for Container Image Verification

Problem Context

DevOps teams use Inspector to verify container images in ECR, but the tool shows all image hashes without filtering. They need to confirm only the latest or tagged images (e.g., :supported) are secure, but Inspector lacks built-in rules for this. Manual filtering wastes time and risks missing critical updates or vulnerabilities.

Pain Points

Inspector’s UI dumps all image hashes, making it impossible to isolate the latest or tagged versions. Workarounds like tag suppression or advanced scans fail because tags aren’t cascaded or scans can’t be triggered on demand. Teams end up manually sifting through hashes, which is error-prone and time-consuming.

Impact

Wasted hours per week on manual verification slows down deployments and increases the risk of security gaps. Teams may miss critical updates or deploy outdated images, leading to compliance violations or production failures. The frustration drives some to abandon Inspector entirely, losing visibility into their container security.

Urgency

This is a daily pain for teams using ECR + Inspector. Without a solution, they either accept the risk of deploying unvetted images or spend excessive time on manual checks. The problem escalates during high-velocity releases or security audits, where accuracy is non-negotiable.

Target Audience

DevOps engineers, Site Reliability Engineers (SREs), and security teams at companies using Amazon ECR and Inspector. Teams in fintech, healthcare, or regulated industries face higher stakes due to compliance requirements. Startups and mid-sized companies without dedicated security teams are especially vulnerable.

Solution Approach

A lightweight service that automatically filters Inspector’s image results based on custom rules (e.g., ‘only show :supported tags’ or ‘latest 3 images’). It integrates with ECR and Inspector via webhooks or API, reducing manual work to zero. Teams set rules once, and the tool enforces them continuously, pushing clean results to Inspector or a dashboard.

Key Features

1. Automated Scanning: Trigger scans on new images and apply rules in real-time, pushing results to Inspector or a Slack channel.
2. Dashboard Overview: Visualize filtered images, tags, and scan statuses in one place.
3. CI/CD Integration: Add a step to your pipeline to auto-verify images before deployment.

User Experience

Teams set up rules in 5 minutes via a web UI or CLI. The tool runs in the background, scanning new images and filtering them automatically. Engineers get clean, actionable results in Inspector or their dashboard—no more manual sifting. Alerts notify them of rule violations (e.g., untagged images) before deployment.

Differentiation

Unlike Inspector’s native UI (which shows everything) or manual CLI scripts (which require maintenance), this tool is purpose-built for filtering. It’s faster than scripting, more reliable than Inspector’s rules, and cheaper than hiring consultants to manage the process. The webhook-based approach works with any ECR/Inspector setup without admin access.

Scalability

Start with basic filtering, then add features like vulnerability prioritization or Slack alerts. Pricing scales with team size (e.g., $29/mo for 5 users, $99/mo for 20+). Enterprises can white-label the dashboard for their security teams.

Expected Impact

Teams save 5+ hours/week on manual verification and reduce the risk of deploying unvetted images. Security teams gain confidence in their pipeline, and compliance officers get audit-ready logs. The tool pays for itself in the first month by preventing a single misdeployment.