DescribeImageScanFindings - Amazon Elastic Container Registry

DescribeImageScanFindings

Returns the scan findings for the specified image.

Request Syntax

{ "imageId": { "imageDigest": "string", "imageTag": "string" }, "maxResults": number, "nextToken": "string", "registryId": "string", "repositoryName": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

imageId

An object with identifying information for an image in an Amazon ECR repository.

Type: ImageIdentifier object

Required: Yes

maxResults

The maximum number of image scan results returned by DescribeImageScanFindings in paginated output. When this parameter is used, DescribeImageScanFindings only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeImageScanFindings request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeImageScanFindings returns up to 100 results and a nextToken value, if applicable.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: No

nextToken

The nextToken value returned from a previous paginated DescribeImageScanFindings request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.

Type: String

Required: No

registryId

The AWS account ID associated with the registry that contains the repository in which to describe the image scan findings for. If you do not specify a registry, the default registry is assumed.

Type: String

Pattern: [0-9]{12}

Required: No

repositoryName

The repository for the image for which to describe the scan findings.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 256.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

Required: Yes

Response Syntax

{ "imageId": { "imageDigest": "string", "imageTag": "string" }, "imageScanFindings": { "enhancedFindings": [ { "awsAccountId": "string", "description": "string", "findingArn": "string", "firstObservedAt": number, "lastObservedAt": number, "packageVulnerabilityDetails": { "cvss": [ { "baseScore": number, "scoringVector": "string", "source": "string", "version": "string" } ], "referenceUrls": [ "string" ], "relatedVulnerabilities": [ "string" ], "source": "string", "sourceUrl": "string", "vendorCreatedAt": number, "vendorSeverity": "string", "vendorUpdatedAt": number, "vulnerabilityId": "string", "vulnerablePackages": [ { "arch": "string", "epoch": number, "filePath": "string", "name": "string", "packageManager": "string", "release": "string", "sourceLayerHash": "string", "version": "string" } ] }, "remediation": { "recommendation": { "text": "string", "url": "string" } }, "resources": [ { "details": { "awsEcrContainerImage": { "architecture": "string", "author": "string", "imageHash": "string", "imageTags": [ "string" ], "platform": "string", "pushedAt": number, "registry": "string", "repositoryName": "string" } }, "id": "string", "tags": { "string" : "string" }, "type": "string" } ], "score": number, "scoreDetails": { "cvss": { "adjustments": [ { "metric": "string", "reason": "string" } ], "score": number, "scoreSource": "string", "scoringVector": "string", "version": "string" } }, "severity": "string", "status": "string", "title": "string", "type": "string", "updatedAt": number } ], "findings": [ { "attributes": [ { "key": "string", "value": "string" } ], "description": "string", "name": "string", "severity": "string", "uri": "string" } ], "findingSeverityCounts": { "string" : number }, "imageScanCompletedAt": number, "vulnerabilitySourceUpdatedAt": number }, "imageScanStatus": { "description": "string", "status": "string" }, "nextToken": "string", "registryId": "string", "repositoryName": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

imageId

An object with identifying information for an image in an Amazon ECR repository.

Type: ImageIdentifier object

imageScanFindings

The information contained in the image scan findings.

Type: ImageScanFindings object

imageScanStatus

The current state of the scan.

Type: ImageScanStatus object

nextToken

The nextToken value to include in a future DescribeImageScanFindings request. When the results of a DescribeImageScanFindings request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.

Type: String

registryId

The registry ID associated with the request.

Type: String

Pattern: [0-9]{12}

repositoryName

The repository name associated with the request.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 256.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

Errors

For information about the errors that are common to all actions, see Common Errors.

ImageNotFoundException

The image requested does not exist in the specified repository.

HTTP Status Code: 400

InvalidParameterException

The specified parameter is invalid. Review the available parameters for the API request.

HTTP Status Code: 400

RepositoryNotFoundException

The specified repository could not be found. Check the spelling of the specified repository and ensure that you are performing operations on the correct registry.

HTTP Status Code: 400

ScanNotFoundException

The specified image scan could not be found. Ensure that image scanning is enabled on the repository and try again.

HTTP Status Code: 400

ServerException

These errors are usually caused by a server-side issue.

HTTP Status Code: 500

ValidationException

There was an exception validating this request.

HTTP Status Code: 400

Examples

In the following example or examples, the Authorization header contents (AUTHPARAMS) must be replaced with an AWS Signature Version 4 signature. For more information about creating these signatures, see Signature Version 4 Signing Process in the AWS General Reference.

You only need to learn how to sign HTTP requests if you intend to manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

Example

This example returns the image scan findings for an image using the image digest in a repository named sample-repo in the default registry for an account.

Sample Request

POST / HTTP/1.1 Host: ecr.us-west-2.amazonaws.com Accept-Encoding: identity Content-Length: 141 X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.DescribeImageScanFindings X-Amz-Date: 20161216T201255Z User-Agent: aws-cli/1.16.310 Python/3.6.1 Darwin/18.7.0 botocore/1.13.46 Content-Type: application/x-amz-json-1.1 Authorization: AUTHPARAMS { "repositoryName": "sample-repo", "imageId": { "imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6" } }

Sample Response

HTTP/1.1 200 OK Server: Server Date: Fri, 24 Jan 2020 03:48:07 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 33967 Connection: keep-alive x-amzn-RequestId: 3081a92b-2066-41f8-8a47-0580288ada9e { "imageScanFindings": { "findings": [ { "name": "CVE-2019-5188", "description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", "uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188", "severity": "MEDIUM", "attributes": [ { "key": "package_version", "value": "1.44.1-1ubuntu1.1" }, { "key": "package_name", "value": "e2fsprogs" }, { "key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P" }, { "key": "CVSS2_SCORE", "value": "4.6" } ] } ], "imageScanCompletedAt": 1579839105.0, "vulnerabilitySourceUpdatedAt": 1579811117.0, "findingSeverityCounts": { "MEDIUM": 1 } }, "registryId": "012345678910", "repositoryName": "sample-repo", "imageId": { "imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6" }, "imageScanStatus": { "status": "COMPLETE", "description": "The scan was completed successfully." } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: