Image Vulnerability Scanning Should Be Enabled For Amazon ECR
More Info:
Image Vulnerability scanning should be enabled for Amazon ECR container images after being pushed to a repository. Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.
Risk Level
Informational
Address
Security, Operational Maturity
Compliance Standards
AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS
Remediation
Using Console
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS console, follow these steps:
-
Open the AWS Management Console and navigate to the Amazon Elastic Container Registry (ECR) service.
-
Click on the repository for which you want to enable image vulnerability scanning.
-
In the repository details page, click on the “Edit” button.
-
Under the “Image scanning” section, check the box next to “Enable image vulnerability scanning”.
-
Choose the scan on push option to enable scanning of images when pushed to the repository or choose the scan on schedule option to enable scanning of images on a schedule.
-
Under the “Scan schedule” section, choose the frequency of scanning based on your requirements.
-
Click on the “Save” button to save the changes.
-
Once image vulnerability scanning is enabled, ECR will scan all images pushed to the repository for vulnerabilities and generate findings that can be viewed in Amazon ECR Console or Amazon EventBridge.
-
You can also configure Amazon SNS notifications to receive alerts for new findings.
By following these steps, you will be able to remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS console.
Using CLI
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the below command to enable image vulnerability scanning for Amazon ECR:
aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=trueReplace
<repository-name>with the name of the Amazon ECR repository that you want to enable image vulnerability scanning for. -
Verify that the image vulnerability scanning is enabled for the Amazon ECR repository by running the below command:
aws ecr describe-image-scan-findings --repository-name <repository-name>This command will return the image scan findings for the specified repository. If the image vulnerability scanning is enabled, you will see the scan findings for the images pushed to the repository.
By following the above steps, you can remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS CLI.
Using Python
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using Python, you can follow the below steps:
- First, you need to check if the Amazon ECR repository has image vulnerability scanning enabled or not. You can use the boto3 library in Python to check the repository policy.
import boto3
import json
client = boto3.client('ecr')
response = client.get_repository_policy(repositoryName='my-repo')
policy = json.loads(response['policyText'])
if 'imageScanningConfiguration' not in policy['policyText']:
# Image vulnerability scanning is not enabled
# Add image scanning configuration to the policy
# Update the repository policy
else:
# Image vulnerability scanning is already enabled
pass
- If the image vulnerability scanning is not enabled, you need to add the image scanning configuration to the repository policy. You can use the
put_repository_policymethod of the ECR client to update the repository policy.
import boto3
import json
client = boto3.client('ecr')
policy = {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "EnableImageScanning",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"ecr:PutImageScanningConfiguration",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerScan"
]
}
]
}
response = client.put_repository_policy(
repositoryName='my-repo',
policyText=json.dumps(policy)
)
- After updating the repository policy, you can verify if the image vulnerability scanning is enabled by checking the repository policy again.
import boto3
import json
client = boto3.client('ecr')
response = client.get_repository_policy(repositoryName='my-repo')
policy = json.loads(response['policyText'])
if 'imageScanningConfiguration' not in policy['policyText']:
# Image vulnerability scanning is still not enabled
pass
else:
# Image vulnerability scanning is now enabled
pass
By following these steps, you can remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using Python.