✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.1.4 ECR Image Scanning

A focused guide to ECR Image Scanning, connecting core concepts with practical Docker and container operations.

ECR image scanning automatically (or on demand) inspects a pushed image's contents for known security vulnerabilities, surfacing findings directly within ECR so that a vulnerable image can be identified and addressed before it's deployed.

Enabling Scanning for a Repository

Scanning can be configured to run automatically every time an image is pushed to a given repository.

aws ecr put-image-scanning-configuration --repository-name myapp --image-scanning-configuration scanOnPush=true

With this configuration, every subsequent push to myapp automatically triggers a vulnerability scan without requiring a separate, manually initiated step.

Reviewing Scan Findings

Once a scan completes, its findings detail any known vulnerabilities discovered within the image's packages.

aws ecr describe-image-scan-findings --repository-name myapp --image-id imageTag=2.3.0

This reveals specific vulnerabilities found, typically including their severity and the specific package affected, providing actionable detail for deciding whether and how to address them.

Triggering a Manual Scan

A scan can also be initiated manually, useful for re-checking an already-pushed image against an updated vulnerability database.

aws ecr start-image-scan --repository-name myapp --image-id imageTag=2.3.0
Integrating Scan Results Into a Deployment Gate

A deployment pipeline can be configured to check scan findings before allowing a deployment to proceed, blocking images with sufficiently severe known vulnerabilities from being deployed.

aws ecr describe-image-scan-findings --repository-name myapp --image-id imageTag=2.3.0 --query 'imageScanFindings.findingSeverityCounts.CRITICAL'

A pipeline checking this count before deployment can automatically halt the process if critical vulnerabilities are present.

Why ECR Image Scanning Matters

Automatic vulnerability scanning provides an important safeguard against deploying an image with known, addressable security issues, catching this category of risk before it reaches a production environment rather than only discovering it after the fact.

Related content