Scanning Amazon ECR container images with Amazon Inspector - Amazon Inspector

Scanning Amazon ECR container images with Amazon Inspector

Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate Package Vulnerability findings. For more information, see Finding types in Amazon Inspector

When you enable Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, provided as a free service by Amazon ECR, with Enhanced scanning, provided and billed through Amazon Inspector.

The enhanced scanning provided by Amazon Inspector gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can view findings discovered using enhanced scanning at the image level, at each layer of the image, and in the Amazon ECR console. Additionally you can view and work with these findings in other services not available for basic scanning findings, including Security Hub, and Amazon EventBridge.

Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level. Continuous scanning includes on-push scans and automated rescans. On-push scanning scans only when you push an image. For both options you can refine the scanning scope through inclusion filters.

Automated rescans are triggered for container images based on whether you use the continuous or on-push option in your Enhanced scanning settings. Whenever Amazon Inspector adds a new CVE to its database, eligible containers images in Amazon ECR repositories configured with continuous scanning are scanned in response.

Note

Container images residing in Amazon ECR repositories that are configured for continuous scanning are scanned for 30 days after they are pushed to the repository. Container images that have not been pushed in over 30 days are not scanned.

Supported operating systems and media types

For information about supported operating systems, see Supported operating systems and programming languages by Amazon Inspector.

Amazon Inspector scans of Amazon ECR repositories cover the following supported media types:

  • "application/vnd.docker.distribution.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v1+prettyjws"

  • "application/vnd.oci.image.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v2+json"

    Note

    The following are not supported:

    • Scratch images are not supported.

    • DockerV2ListMediaType images are not supported.

Configuring enhanced scanning for Amazon ECR repositories

When Amazon Inspector scans for Amazon ECR are enabled, the default scanning option is Enhanced scanning set to Continuously scan all repositories. See the previous section for more information about scanning options.

To change your enhanced scanning settings:

You can modify the coverage and scope of your Amazon ECR container image scans through the Amazon ECR console.

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/.

  2. Select the Region that contains the repositories that you want to scan.

  3. From the navigation bar, choose Private Registry.

  4. Within the Scanning pane, choose Edit.

  5. Under Scanning configuration, choose Enhanced scanning.

  6. Select Continuously scan all repositories for complete Amazon Inspector scan coverage for all repositories, or choose Scan on push all repositories to run scans only when you push an image.

  7. (Optional) Specify which repositories to include in scans for continuous or on-push scans by entering the repository names in the input box and selecting Add filter.

    • After you add inclusion filters, you can select Preview repository matches to see which repositories will be included.

  8. Choose Save.

  9. (Recommended) Repeat these steps in each Region for which you want to enable Amazon Inspector scans for Amazon ECR repositories.

Disabling Scans

You can disable Amazon ECR container image scanning or EC2 instance scanning at any time. Disabling all scan types for an account disables Amazon Inspector for that account in that Region. For more information see Disabling Amazon Inspector.

When you disable Amazon ECR container image scanning for any account the Amazon ECR scan type for that account changes from Enhanced scanning with Amazon Inspector to Basic scanning with Amazon ECR.

To disable scans

To complete this procedure for a multi-account environment, follow the steps while signed in as the Amazon Inspector delegated administrator. Member accounts cannot disable scans.

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Use the Region selector in the upper right to specify the Region where you want to disable scans.

  3. In the navigation pane, choose Settings, and then choose Account Management.

  4. Choose the Accounts tab to see the scan status of an account.

  5. Select the check box for the account or accounts for which you want to disable scans.

  6. From the Actions drop down, select the scan type to disable.