Scan images for OS vulnerabilities in Amazon ECR
| The improved basic scanning feature is in preview release for Amazon ECR and is subject to change. During this public preview, you can only use the AWS Management Console to opt-in for the Improved basic scanning version. |
Amazon ECR provides two versions of basic scanning that use the Common Vulnerabilities and Exposures (CVEs) database:
-
The current GA version that uses the open-source Clair project. For more information about Clair, see Clair
on GitHub. -
The newly improved version of basic scanning (in preview) that uses AWS native technology.
Amazon ECR uses the severity for a CVE from the upstream distribution source if available.
Otherwise, the Common Vulnerability Scoring System (CVSS) score is used. The CVSS score can be
used to obtain the NVD vulnerability severity rating. For more information, see NVD Vulnerability Severity Ratings
Both versions of Amazon ECR basic scanning support filters to specify which repositories to scan on push. Any repositories that don't match a scan on push filter are set to the manual scan frequency which means you must manually start the scan. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans.
The last completed image scan findings can be retrieved for each image. When an image scan is completed, Amazon ECR sends an event to Amazon EventBridge. For more information, see Amazon ECR events and EventBridge.
Region support for improved basic scanning
The improved version of basic scanning is supported in the following regions:
-
Asia Pacific (Hong Kong) (
ap-east-1) -
Europe (Stockholm) (
eu-north-1) -
Middle East (Bahrain) (
me-south-1) -
Asia Pacific (Mumbai) (
ap-south-1) -
Europe (Paris) (
eu-west-3) -
AWS GovCloud (US-East) (
us-gov-east-1) -
Africa (Cape Town) (
af-south-1) -
Asia Pacific (Jakarta) (
ap-southeast-3) -
Europe (Frankfurt) (
eu-central-1) -
Europe (Ireland) (
eu-west-1) -
South America (São Paulo) (
sa-east-1) -
US East (Ohio) (
us-east-2) -
AWS GovCloud (US-West) (
us-gov-west-1) -
Asia Pacific (Tokyo) (
ap-northeast-1) -
Asia Pacific (Seoul) (
ap-northeast-2) -
Asia Pacific (Osaka) (
ap-northeast-3) -
Europe (Milan) (
eu-south-1) -
Europe (London) (
eu-west-2) -
US East (N. Virginia) (
us-east-1) -
Asia Pacific (Singapore) (
ap-southeast-1) -
Asia Pacific (Sydney) (
ap-southeast-2) -
Canada (Central) (
ca-central-1) -
US West (N. California) (
us-west-1) -
US West (Oregon) (
us-west-2) -
Europe (Zurich) (
eu-central-2)
Operating system support for basic scanning and improved basic scanning
As a security best practice and for continued coverage, we recommend that you continue to use supported versions of an operating system. In accordance with vendor policy, discontinued operating systems are no longer updated with patches and, in many cases, new security advisories are no longer released for them. In addition, some vendors remove existing security advisories and detections from their feeds when an affected operating system reaches the end of standard support. After a distribution loses support from its vendor, Amazon ECR may no longer support scanning it for vulnerabilities. Any findings that Amazon ECR does generate for a discontinued operating system should be used for informational purposes only. Listed below are the current supported operating systems and versions.
| Operating System | Version |
|---|---|
| Alpine Linux (Alpine) | 3.19 |
| Alpine Linux (Alpine) | 3.18 |
| Alpine Linux (Alpine) | 3.17 |
| Alpine Linux (Alpine) | 3.16 |
| Amazon Linux 2 (AL2) | AL2 |
| Amazon Linux 2023(AL2023) | AL2023 |
| CentOS Linux (CentOS) | 7 |
| Debian Server (Bookworm) | 12 |
| Debian Server (Bullseye) | 11 |
| Debian Server (Buster) | 10 |
| Oracle Linux (Oracle) | 9 |
| Oracle Linux (Oracle) | 8 |
| Oracle Linux (Oracle) | 7 |
| Ubuntu (Lunar) | 23.04 |
| Ubuntu (Jammy) | 22.04 (LTS) |
| Ubuntu (Focal) | 20.04 (LTS) |
| Ubuntu (Bionic) | 18.04 (ESM) |
| Ubuntu (Xenial) | 16.04 (ESM) |
| Ubuntu (Trusty) | 14.04 (ESM) |
| Red Hat Enterprise Linux (RHEL) | 7 |
| Red Hat Enterprise Linux (RHEL) | 8 |
| Red Hat Enterprise Linux (RHEL) | 9 |
