AWS Security ChangesHomeSearch

AWS imagebuilder documentation change

Service: imagebuilder · 2026-05-16 · Documentation medium

File: imagebuilder/latest/userguide/cli-create-container-pipeline.md

Summary

Added comprehensive example for creating container pipelines with vulnerability scanning, custom security workflows, and compliance checks

Security assessment

Significantly expands documentation on implementing security controls including Inspector vulnerability scanning, parallel security tests, and compliance workflows. Promotes security best practices but doesn't address specific vulnerabilities.

Diff

diff --git a/imagebuilder/latest/userguide/cli-create-container-pipeline.md b/imagebuilder/latest/userguide/cli-create-container-pipeline.md
index e9735ab5d..79635fc82 100644
--- a//imagebuilder/latest/userguide/cli-create-container-pipeline.md
+++ b//imagebuilder/latest/userguide/cli-create-container-pipeline.md
@@ -70,0 +71,76 @@ Use your favorite file editing tool to create a JSON file with the following key
+###### Example: Create a container pipeline with image scanning and custom workflows
+
+This example configures a container pipeline that checks every Monday at 10:00 AM UTC and runs only when dependency updates are available. The configuration file uses existing resources for the container recipe and infrastructure. It enables [vulnerability scanning](https://docs.aws.amazon.com/imagebuilder/latest/userguide/integ-inspector.html) with Amazon Inspector and ECR integration. The configuration also specifies [custom workflows](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-image-workflows.html) with an execution role. Parallel groups run security and functional tests at the same time. Pipeline logs are sent to custom [CloudWatch log groups](https://docs.aws.amazon.com/imagebuilder/latest/userguide/monitor-cwlogs.html).
+
+  1. ###### Create a configuration file
+
+Create a JSON file named `create-container-pipeline-with-workflows.json`. This file defines the container pipeline configuration with image scanning enabled and custom test workflows. Replace the placeholder values with your own resource ARNs.
+    
+        {
+    	"name": "MyContainerPipelineWithScanning",
+    	"description": "Container pipeline with vulnerability scanning and custom workflows",
+    	"containerRecipeArn": "arn:aws:imagebuilder:us-east-1:123456789012:container-recipe/my-container-recipe/1.0.0",
+    	"infrastructureConfigurationArn": "arn:aws:imagebuilder:us-east-1:123456789012:infrastructure-configuration/my-infra-config",
+    	"distributionConfigurationArn": "arn:aws:imagebuilder:us-east-1:123456789012:distribution-configuration/my-dist-config",
+    	"imageScanningConfiguration": {
+    		"imageScanningEnabled": true,
+    		"ecrConfiguration": {
+    			"repositoryName": "my-scanning-repo",
+    			"containerTags": ["scan-latest"]
+    		}
+    	},
+    	"workflows": [
+    		{
+    			"workflowArn": "arn:aws:imagebuilder:us-east-1:123456789012:workflow/build/my-build-workflow/1.0.0"
+    		},
+    		{
+    			"workflowArn": "arn:aws:imagebuilder:us-east-1:123456789012:workflow/test/my-security-scan/1.0.0",
+    			"onFailure": "ABORT",
+    			"parallelGroup": "security"
+    		},
+    		{
+    			"workflowArn": "arn:aws:imagebuilder:us-east-1:123456789012:workflow/test/my-compliance-check/1.0.0",
+    			"onFailure": "ABORT",
+    			"parallelGroup": "security"
+    		},
+    		{
+    			"workflowArn": "arn:aws:imagebuilder:us-east-1:123456789012:workflow/test/my-functional-test/1.0.0",
+    			"onFailure": "CONTINUE",
+    			"parallelGroup": "functional"
+    		},
+    		{
+    			"workflowArn": "arn:aws:imagebuilder:us-east-1:123456789012:workflow/test/my-performance-test/1.0.0",
+    			"onFailure": "CONTINUE",
+    			"parallelGroup": "functional"
+    		}
+    	],
+    	"executionRole": "arn:aws:iam::123456789012:role/ImageBuilderExecutionRole",
+    	"loggingConfiguration": {
+    		"imageLogGroupName": "/aws/imagebuilder/my-container-pipeline-image-logs",
+    		"pipelineLogGroupName": "/aws/imagebuilder/my-container-pipeline-execution-logs"
+    	},
+    	"imageTestsConfiguration": {
+    		"imageTestsEnabled": true,
+    		"timeoutMinutes": 120
+    	},
+    	"schedule": {
+    		"scheduleExpression": "cron(0 10 ? * MON *)",
+    		"pipelineExecutionStartCondition": "EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE"
+    	},
+    	"status": "ENABLED"
+    }
+    
+
+###### Note
+
+     * You must include the `file://` notation at the beginning of the JSON file path.
+
+     * The path for the JSON file should follow the appropriate convention for the base operating system where you are running the command. For example, Windows uses the backslash (\\) to refer to the directory path, while Linux and macOS use the forward slash (/).
+
+  2. ###### Run the command
+    
+        aws imagebuilder create-image-pipeline --cli-input-json file://create-container-pipeline-with-workflows.json
+
+
+
+