DescribeImageScanFindings
Returns the scan findings for the specified image.
Request Syntax
{
"imageId": {
"imageDigest": "string
",
"imageTag": "string
"
},
"maxResults": number
,
"nextToken": "string
",
"registryId": "string
",
"repositoryName": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- imageId
-
An object with identifying information for an image in an Amazon ECR repository.
Type: ImageIdentifier object
Required: Yes
- maxResults
-
The maximum number of image scan results returned by
DescribeImageScanFindings
in paginated output. When this parameter is used,DescribeImageScanFindings
only returnsmaxResults
results in a single page along with anextToken
response element. The remaining results of the initial request can be seen by sending anotherDescribeImageScanFindings
request with the returnednextToken
value. This value can be between 1 and 1000. If this parameter is not used, thenDescribeImageScanFindings
returns up to 100 results and anextToken
value, if applicable.Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
- nextToken
-
The
nextToken
value returned from a previous paginatedDescribeImageScanFindings
request wheremaxResults
was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned thenextToken
value. This value is null when there are no more results to return.Type: String
Required: No
- registryId
-
The AWS account ID associated with the registry that contains the repository in which to describe the image scan findings for. If you do not specify a registry, the default registry is assumed.
Type: String
Pattern:
[0-9]{12}
Required: No
- repositoryName
-
The repository for the image for which to describe the scan findings.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 256.
Pattern:
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*
Required: Yes
Response Syntax
{
"imageId": {
"imageDigest": "string",
"imageTag": "string"
},
"imageScanFindings": {
"enhancedFindings": [
{
"awsAccountId": "string",
"description": "string",
"exploitAvailable": "string",
"findingArn": "string",
"firstObservedAt": number,
"fixAvailable": "string",
"lastObservedAt": number,
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": number,
"scoringVector": "string",
"source": "string",
"version": "string"
}
],
"referenceUrls": [ "string" ],
"relatedVulnerabilities": [ "string" ],
"source": "string",
"sourceUrl": "string",
"vendorCreatedAt": number,
"vendorSeverity": "string",
"vendorUpdatedAt": number,
"vulnerabilityId": "string",
"vulnerablePackages": [
{
"arch": "string",
"epoch": number,
"filePath": "string",
"fixedInVersion": "string",
"name": "string",
"packageManager": "string",
"release": "string",
"sourceLayerHash": "string",
"version": "string"
}
]
},
"remediation": {
"recommendation": {
"text": "string",
"url": "string"
}
},
"resources": [
{
"details": {
"awsEcrContainerImage": {
"architecture": "string",
"author": "string",
"imageHash": "string",
"imageTags": [ "string" ],
"platform": "string",
"pushedAt": number,
"registry": "string",
"repositoryName": "string"
}
},
"id": "string",
"tags": {
"string" : "string"
},
"type": "string"
}
],
"score": number,
"scoreDetails": {
"cvss": {
"adjustments": [
{
"metric": "string",
"reason": "string"
}
],
"score": number,
"scoreSource": "string",
"scoringVector": "string",
"version": "string"
}
},
"severity": "string",
"status": "string",
"title": "string",
"type": "string",
"updatedAt": number
}
],
"findings": [
{
"attributes": [
{
"key": "string",
"value": "string"
}
],
"description": "string",
"name": "string",
"severity": "string",
"uri": "string"
}
],
"findingSeverityCounts": {
"string" : number
},
"imageScanCompletedAt": number,
"vulnerabilitySourceUpdatedAt": number
},
"imageScanStatus": {
"description": "string",
"status": "string"
},
"nextToken": "string",
"registryId": "string",
"repositoryName": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- imageId
-
An object with identifying information for an image in an Amazon ECR repository.
Type: ImageIdentifier object
- imageScanFindings
-
The information contained in the image scan findings.
Type: ImageScanFindings object
- imageScanStatus
-
The current state of the scan.
Type: ImageScanStatus object
- nextToken
-
The
nextToken
value to include in a futureDescribeImageScanFindings
request. When the results of aDescribeImageScanFindings
request exceedmaxResults
, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.Type: String
- registryId
-
The registry ID associated with the request.
Type: String
Pattern:
[0-9]{12}
- repositoryName
-
The repository name associated with the request.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 256.
Pattern:
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*
Errors
For information about the errors that are common to all actions, see Common Errors.
- ImageNotFoundException
-
The image requested does not exist in the specified repository.
HTTP Status Code: 400
- InvalidParameterException
-
The specified parameter is invalid. Review the available parameters for the API request.
HTTP Status Code: 400
- RepositoryNotFoundException
-
The specified repository could not be found. Check the spelling of the specified repository and ensure that you are performing operations on the correct registry.
HTTP Status Code: 400
- ScanNotFoundException
-
The specified image scan could not be found. Ensure that image scanning is enabled on the repository and try again.
HTTP Status Code: 400
- ServerException
-
These errors are usually caused by a server-side issue.
HTTP Status Code: 500
- ValidationException
-
There was an exception validating this request.
HTTP Status Code: 400
Examples
In the following example or examples, the Authorization header contents
(AUTHPARAMS
) must be replaced with an AWS Signature Version 4
signature. For more information about creating these signatures, see Signature
Version 4 Signing Process in the
AWS General
Reference.
You only need to learn how to sign HTTP requests if you intend to manually
create them. When you use the AWS Command Line Interface (AWS CLI)
Example
This example returns the image scan findings for an image using the image
digest in a repository named sample-repo
in the default registry
for an account.
Sample Request
POST / HTTP/1.1
Host: ecr.us-west-2.amazonaws.com
Accept-Encoding: identity
Content-Length: 141
X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.DescribeImageScanFindings
X-Amz-Date: 20161216T201255Z
User-Agent: aws-cli/1.16.310 Python/3.6.1 Darwin/18.7.0 botocore/1.13.46
Content-Type: application/x-amz-json-1.1
Authorization: AUTHPARAMS
{
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
}
}
Sample Response
HTTP/1.1 200 OK
Server: Server
Date: Fri, 24 Jan 2020 03:48:07 GMT
Content-Type: application/x-amz-json-1.1
Content-Length: 33967
Connection: keep-alive
x-amzn-RequestId: 3081a92b-2066-41f8-8a47-0580288ada9e
{
"imageScanFindings": {
"findings": [
{
"name": "CVE-2019-5188",
"description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188",
"severity": "MEDIUM",
"attributes": [
{
"key": "package_version",
"value": "1.44.1-1ubuntu1.1"
},
{
"key": "package_name",
"value": "e2fsprogs"
},
{
"key": "CVSS2_VECTOR",
"value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
},
{
"key": "CVSS2_SCORE",
"value": "4.6"
}
]
}
],
"imageScanCompletedAt": 1579839105.0,
"vulnerabilitySourceUpdatedAt": 1579811117.0,
"findingSeverityCounts": {
"MEDIUM": 1
}
},
"registryId": "012345678910",
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
},
"imageScanStatus": {
"status": "COMPLETE",
"description": "The scan was completed successfully."
}
}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: