> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Image Vulnerability Scanning Should Be Enabled For Amazon ECR

### More Info:

Image Vulnerability scanning should be enabled for Amazon ECR container images after being pushed to a repository. Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.

### Risk Level

Informational

### Address

Security, Operational Maturity

### Compliance Standards

AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using AWS console, follow these steps:

        1. Open the AWS Management Console and navigate to the Amazon Elastic Container Registry (ECR) service.

        2. Click on the repository for which you want to enable image vulnerability scanning.

        3. In the repository details page, click on the "Edit" button.

        4. Under the "Image scanning" section, check the box next to "Enable image vulnerability scanning".

        5. Choose the scan on push option to enable scanning of images when pushed to the repository or choose the scan on schedule option to enable scanning of images on a schedule.

        6. Under the "Scan schedule" section, choose the frequency of scanning based on your requirements.

        7. Click on the "Save" button to save the changes.

        8. Once image vulnerability scanning is enabled, ECR will scan all images pushed to the repository for vulnerabilities and generate findings that can be viewed in Amazon ECR Console or Amazon EventBridge.

        9. You can also configure Amazon SNS notifications to receive alerts for new findings.

        By following these steps, you will be able to remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using AWS CLI, follow the below steps:

        1. Open the AWS CLI on your local machine.

        2. Run the below command to enable image vulnerability scanning for Amazon ECR:

           ```
           aws ecr put-image-scanning-configuration --repository-name <repository-name> --image-scanning-configuration scanOnPush=true
           ```

           Replace `<repository-name>` with the name of the Amazon ECR repository that you want to enable image vulnerability scanning for.

        3. Verify that the image vulnerability scanning is enabled for the Amazon ECR repository by running the below command:

           ```
           aws ecr describe-image-scan-findings --repository-name <repository-name>
           ```

           This command will return the image scan findings for the specified repository. If the image vulnerability scanning is enabled, you will see the scan findings for the images pushed to the repository.

        By following the above steps, you can remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using Python, you can follow the below steps:

        1. First, you need to check if the Amazon ECR repository has image vulnerability scanning enabled or not. You can use the boto3 library in Python to check the repository policy.

        ```python theme={null}
        import boto3
        import json

        client = boto3.client('ecr')

        response = client.get_repository_policy(repositoryName='my-repo')

        policy = json.loads(response['policyText'])

        if 'imageScanningConfiguration' not in policy['policyText']:
            # Image vulnerability scanning is not enabled
            # Add image scanning configuration to the policy
            # Update the repository policy
        else:
            # Image vulnerability scanning is already enabled
            pass
        ```

        2. If the image vulnerability scanning is not enabled, you need to add the image scanning configuration to the repository policy. You can use the `put_repository_policy` method of the ECR client to update the repository policy.

        ```python theme={null}
        import boto3
        import json

        client = boto3.client('ecr')

        policy = {
            "Version": "2008-10-17",
            "Statement": [
                {
                    "Sid": "EnableImageScanning",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "*"
                    },
                    "Action": [
                        "ecr:PutImageScanningConfiguration",
                        "ecr:DescribeImageScanFindings",
                        "ecr:InitiateLayerScan"
                    ]
                }
            ]
        }

        response = client.put_repository_policy(
            repositoryName='my-repo',
            policyText=json.dumps(policy)
        )
        ```

        3. After updating the repository policy, you can verify if the image vulnerability scanning is enabled by checking the repository policy again.

        ```python theme={null}
        import boto3
        import json

        client = boto3.client('ecr')

        response = client.get_repository_policy(repositoryName='my-repo')

        policy = json.loads(response['policyText'])

        if 'imageScanningConfiguration' not in policy['policyText']:
            # Image vulnerability scanning is still not enabled
            pass
        else:
            # Image vulnerability scanning is now enabled
            pass
        ```

        By following these steps, you can remediate the misconfiguration "Image Vulnerability Scanning Should Be Enabled For Amazon ECR" for AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html)
