Scanning Amazon ECR container images with Amazon Inspector - Amazon Inspector

Scanning Amazon ECR container images with Amazon Inspector

Amazon Inspector scans container images stored in Amazon ECR for software vulnerabilities to generate Package Vulnerability findings. For information on the types of findings produced for these issues, see Finding types in Amazon Inspector.

When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces the default Basic scanning, which is provided as a free service by Amazon ECR, with Enhanced scanning, which is provided and billed through Amazon Inspector.

The enhanced scanning provided by Amazon Inspector gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can review findings discovered using enhanced scanning at the image level, for each layer of the image, on the Amazon ECR console. Additionally, you can review and work with these findings in other services not available for basic scanning findings, including AWS Security Hub and Amazon EventBridge.

Enhanced scanning gives you a choice between continuous scanning or on-push scanning at the repository level. Continuous scanning includes on-push scans and automated rescans. On-push scanning scans only when you initially push an image. For both options you can refine the scanning scope through inclusion filters.

Automated rescans are triggered for container images based on whether you use the continuous or on-push option in your Enhanced scanning settings. Whenever Amazon Inspector adds a new Common Vulnerabilities and Exposures (CVE) item to its database, eligible container images in Amazon ECR private repositories configured with continuous scanning are scanned in response.

Important

When Amazon Inspector identifies a vulnerability, the metadata for that vulnerability is recorded and reported as a finding. If the severity of a vulnerability is changed by the vendor, this doesn't initiate a re-scan of resources previously identified as having that vulnerability. This is because the signature for that vulnerability has not changed.

Findings discovered by scans can be reviewed on the Amazon Inspector console at https://console.aws.amazon.com/inspector/. For information about working with findings, see Managing findings in Amazon Inspector.

Supported operating systems and media types

For information about supported operating systems, see Operating system support for Amazon ECR scanning.

Amazon Inspector scans of Amazon ECR repositories cover the following supported media types:

  • "application/vnd.docker.distribution.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v1+prettyjws"

  • "application/vnd.oci.image.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v2+json"

    Note

    Scratch images and DockerV2ListMediaType images are not supported.

Configuring enhanced scanning for Amazon ECR repositories

When enhanced scanning for Amazon ECR is activated, Amazon Inspector scans all images in the repositories you specify pushed in the last 30 days. If you have images older than 30 days that you want Amazon Inspector to scan, you must re-push them to your repository. You can specify which repositories are configured for scanning using the Amazon ECR console.

To activate and configure your enhanced scanning settings
  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region that contains the repositories that you want to scan.

  3. In the navigation pane, choose Private registry, then choose Scanning.

  4. In the Scanning configuration section, choose Edit.

  5. Under Scan type, choose Enhanced scanning.

  6. By default, the Continuously scan all repositories option is selected which turns on complete Amazon Inspector scan coverage for all repositories. Deselect that option and select Scan on push all repositories to run scans only on initial push of an image.

  7. (Optional) Specify which repositories to include in scans for continuous or on-push scans by entering the repository names in the input box and selecting Add filter.

    After you add inclusion filters, choose Preview repository matches to show which repositories will be included.

  8. Choose Save.

  9. (Recommended) Repeat these steps in each AWS Region for which you want to activate Amazon Inspector scans for Amazon ECR repositories.

Configuring the ECR automated re-scan duration

The Amazon ECR automated re-scan duration setting determines how long Amazon Inspector continuously monitors images pushed into repositories. When the number of days from when an image is first pushed exceeds the automated re-scan duration configuration, Amazon Inspector stops monitoring the image. When Amazon Inspector stops monitoring an image, the scan status of the image is changed to inactive with a reason code of expired, and all associated findings for the image are scheduled to be closed.

You can set the Amazon ECR automated re-scan duration in Amazon Inspector to best suit your environment. For example, if you build images frequently, a shorter scan duration is sufficient. However, if you continue to use images for long periods of time you can choose a longer scan duration. The default scan duration for new accounts, including new accounts added to an organization, is Lifetime. This means images are scanned until they are deleted.

The following scan duration options are available.

  • 30 days

  • 180 days

  • Lifetime

To configure the ECR automated re-scan duration
  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. In the navigation pane, under Settings, choose General.

  3. Under ECR automated re-scan duration, choose the duration that you want.

  4. Choose Save. Your new setting applies immediately.

If you increase the duration, for example from 30 days to 180 days, Amazon Inspector applies the change to all images actively being scanned in repositories configured for continual scanning. However, images with a scan status of expired remain expired.

If you decrease the duration, for example from Lifetime to 180 days, Amazon Inspector applies the change to all active images being scanned in repositories configured for continual scanning. Images that are older than your new setting have their scan status changed to expired and are no longer monitored. For scanning to be resumed, you must push the image to the repository again.

Deactivating Amazon ECR scans

You can deactivate scanning for Amazon ECR container images or Amazon EC2 instances at any time. Deactivating all scan types for an account deactivates Amazon Inspector for that account in that AWS Region. For more information, see Deactivating Amazon Inspector.

When you deactivate Amazon ECR container image scanning for an account, the Amazon ECR scan type for that account changes from Enhanced scanning with Amazon Inspector to Basic scanning with Amazon ECR.

To deactivate scans

To complete this procedure for a multi-account environment, follow these steps while signed in as the Amazon Inspector delegated administrator. Member accounts cannot deactivate scans.

  1. Open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region where you want to deactivate scans.

  3. In the navigation pane, choose Settings, and then choose Account management.

  4. Choose the Accounts tab to show the scanning status of an account.

  5. Select the check box for each account that you want to deactivate scans for.

  6. On the Actions menu, choose the scan type to deactivate.