Image Vulnerability Scanning Should Be Enabled For Amazon ECR
More Info:
Image Vulnerability scanning should be enabled for Amazon ECR container images after being pushed to a repository. Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.Risk Level
InformationalAddress
Security, Operational MaturityCompliance Standards
AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS console, follow these steps:
- Open the AWS Management Console and navigate to the Amazon Elastic Container Registry (ECR) service.
- Click on the repository for which you want to enable image vulnerability scanning.
- In the repository details page, click on the “Edit” button.
- Under the “Image scanning” section, check the box next to “Enable image vulnerability scanning”.
- Choose the scan on push option to enable scanning of images when pushed to the repository or choose the scan on schedule option to enable scanning of images on a schedule.
- Under the “Scan schedule” section, choose the frequency of scanning based on your requirements.
- Click on the “Save” button to save the changes.
- Once image vulnerability scanning is enabled, ECR will scan all images pushed to the repository for vulnerabilities and generate findings that can be viewed in Amazon ECR Console or Amazon EventBridge.
- You can also configure Amazon SNS notifications to receive alerts for new findings.
Using CLI
Using CLI
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using AWS CLI, follow the below steps:
- Open the AWS CLI on your local machine.
-
Run the below command to enable image vulnerability scanning for Amazon ECR:
Replace
<repository-name>with the name of the Amazon ECR repository that you want to enable image vulnerability scanning for. -
Verify that the image vulnerability scanning is enabled for the Amazon ECR repository by running the below command:
This command will return the image scan findings for the specified repository. If the image vulnerability scanning is enabled, you will see the scan findings for the images pushed to the repository.
Using Python
Using Python
To remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using Python, you can follow the below steps:By following these steps, you can remediate the misconfiguration “Image Vulnerability Scanning Should Be Enabled For Amazon ECR” for AWS using Python.
- First, you need to check if the Amazon ECR repository has image vulnerability scanning enabled or not. You can use the boto3 library in Python to check the repository policy.
- If the image vulnerability scanning is not enabled, you need to add the image scanning configuration to the repository policy. You can use the
put_repository_policymethod of the ECR client to update the repository policy.
- After updating the repository policy, you can verify if the image vulnerability scanning is enabled by checking the repository policy again.