Scanning Amazon ECR container images with Amazon Inspector - Amazon Inspector

Scanning Amazon ECR container images with Amazon Inspector

Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate Package Vulnerability findings. For more information, see Finding types in Amazon Inspector.

When you enable Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, provided as a free service by Amazon ECR, with Enhanced scanning, provided and billed through Amazon Inspector.

The enhanced scanning provided by Amazon Inspector gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can view findings discovered using enhanced scanning at the image level, at each layer of the image, and in the Amazon ECR console. Additionally you can view and work with these findings in other services not available for basic scanning findings, including AWS Security Hub and Amazon EventBridge.

Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level. Continuous scanning includes on-push scans and automated rescans. On-push scanning scans only when you push an image. For both options you can refine the scanning scope through inclusion filters.

Automated rescans are triggered for container images based on whether you use the continuous or on-push option in your Enhanced scanning settings. Whenever Amazon Inspector adds a new CVE to its database, eligible containers images in Amazon ECR repositories configured with continuous scanning are scanned in response.

Findings discovered by scans can be viewed in the Amazon Inspector console at For more information on working with findings, see Managing findings in Amazon Inspector.


When ECR scanning is first enabled, Amazon Inspector will begin scanning all images pushed within the last 30 days. To include images older than 30 days in Amazon Inspector ECR scans you must delete and re-push them.

Supported operating systems and media types

For information about supported operating systems, see Supported operating systems and programming languages.

Amazon Inspector scans of Amazon ECR repositories cover the following supported media types:

  • "application/vnd.docker.distribution.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v1+prettyjws"

  • "application/vnd.oci.image.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v2+json"


    The following are not supported:

    • Scratch images are not supported.

    • DockerV2ListMediaType images are not supported.

Configuring enhanced scanning for Amazon ECR repositories

When Amazon Inspector scans for Amazon ECR are enabled, the default scanning option is Enhanced scanning set to Continuously scan all repositories. See the previous section for more information about scanning options.

To change your enhanced scanning settings:

You can modify the coverage and scope of your Amazon ECR container image scans through the Amazon ECR console.

  1. Open the Amazon ECR console at

  2. Select the Region that contains the repositories that you want to scan.

  3. From the navigation bar, choose Private Registry.

  4. Within the Scanning pane, choose Edit.

  5. Under Scanning configuration, choose Enhanced scanning.

  6. Select Continuously scan all repositories for complete Amazon Inspector scan coverage for all repositories, or choose Scan on push all repositories to run scans only when you push an image.

  7. (Optional) Specify which repositories to include in scans for continuous or on-push scans by entering the repository names in the input box and selecting Add filter.

    • After you add inclusion filters, you can select Preview repository matches to see which repositories will be included.

  8. Choose Save.

  9. (Recommended) Repeat these steps in each Region for which you want to enable Amazon Inspector scans for Amazon ECR repositories.

Changing the ECR automated re-scan duration

The ECR automated re-scan duration setting determines how long Amazon Inspector continuously monitors images pushed into repositories. When the number of days from when an image is first pushed exceeds the automated re-scan duration configuration Amazon Inspector will no longer monitor the image. When Amazon Inspector stops monitoring an image the scan status of the image is changed to inactive with a reason code of expired, and all associated findings for the image are scheduled to be closed.

You can set the ECR automated re-scan duration in Amazon Inspector to best suit your environment. For example, if you build images frequently a shorter scan duration is sufficient. However, if you continue to use images for long periods of time you can choose a longer scan duration. The following scan duration options are available:

  • 30 days

  • 180 days

  • Lifetime


The default scan duration for new accounts and new accounts added through organizations is Lifetime. This means images are scanned until they are deleted.

To change the ECR automated re-scan duration:

  1. In the navigation pane, expand Settings and then select General.

  2. Under ECR automated re-scan duration choose a setting.

  3. Select Save. Your new setting applies immediately.

When you increase the duration from a shorter value to a longer value, such as 30 days to 180 days, Amazon Inspector applies the change to all images actively being scanned in repositories configured for continual scanning. However, images that are already expired remain expired.

When you decrease the duration from a longer value to a shorter value, such as from lifetime to 180 days, Amazon Inspector applies the change to all active images being scanned in repositories configured for continual scanning. Images that are older than your new setting have their scan status changed to expired and are no longer monitored.

Disabling Scans

You can disable Amazon ECR container image scanning or EC2 instance scanning at any time. Disabling all scan types for an account disables Amazon Inspector for that account in that Region. For more information see Disabling Amazon Inspector.

When you disable Amazon ECR container image scanning for any account the Amazon ECR scan type for that account changes from Enhanced scanning with Amazon Inspector to Basic scanning with Amazon ECR.

To disable scans

To complete this procedure for a multi-account environment, follow the steps while signed in as the Amazon Inspector delegated administrator. Member accounts cannot disable scans.

  1. Open the Amazon Inspector console at

  2. Use the Region selector in the upper right to specify the Region where you want to disable scans.

  3. In the navigation pane, choose Settings, and then choose Account Management.

  4. Choose the Accounts tab to see the scan status of an account.

  5. Select the check box for the account or accounts for which you want to disable scans.

  6. From the Actions drop down, select the scan type to disable.