# Scan images for OS vulnerabilities in Amazon ECR
Amazon ECR basic scanning uses AWS native technology to scan your container images for software vulnerabilities. Basic scanning provides vulnerability detection across a broad set of popular operating systems, sourcing more than 50 data feeds to generate findings for common vulnerabilities and exposures (CVEs). These sources include vendor security advisories, data feeds, threat intelligence feeds, as well as the National Vulnerability Database (NVD) and MITRE.
Amazon ECR basic scanning is supported in all regions listed in [AWS Services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
Amazon ECR uses the severity for a CVE from the upstream distribution source if available. Otherwise, the Common Vulnerability Scoring System (CVSS) score is used. The CVSS score can be used to obtain the NVD vulnerability severity rating. For more information, see [NVD Vulnerability Severity Ratings](https://nvd.nist.gov/vuln-metrics/cvss).
Amazon ECR basic scanning supports filters to specify which repositories to scan on push. Any repositories that don't match a scan on push filter are set to the ** manual** scan frequency which means you must manually start the scan. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans. With basic scanning, you can scan up to 100,000 images per 24 hours in a given registry.
The last completed image scan findings can be retrieved for each image. When an image scan is completed, Amazon ECR sends an event to Amazon EventBridge. For more information, see [Amazon ECR events and EventBridge](ecr-eventbridge.md).
## Operating system support for basic scanning
As a security best practice and for continued coverage, we recommend that you continue to use supported versions of an operating system. In accordance with vendor policy, discontinued operating systems are no longer updated with patches and, in many cases, new security advisories are no longer released for them. In addition, some vendors remove existing security advisories and detections from their feeds when an affected operating system reaches the end of standard support. After a distribution loses support from its vendor, Amazon ECR may no longer support scanning it for vulnerabilities. Any findings that Amazon ECR does generate for a discontinued operating system should be used for informational purposes only. For a full list of supported operating systems and versions, see [Supported operating systems - Amazon Inspector scan](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-os-scan-inspector-scan) in the *Amazon Inspector User Guide*.
# Configuring basic scanning for images in Amazon ECR
By default, Amazon ECR turns on basic scanning for all private registries. As a result, unless you've changed the scanning settings on your private registry there is no need to turn on basic scanning.
You can use the following steps to define one or more scan on push filters.
**To turn on basic scanning for your private registry**
1. Open the Amazon ECR console at [ https://console.aws.amazon.com/ecr/private-registry/repositories](https://console.aws.amazon.com/ecr/private-registry/repositories)
1. From the navigation bar, choose the Region to set the scanning configuration for.
1. In the navigation pane, choose **Private registry**, ** Scanning**.
1. On the **Scanning configuration** page, For **Scan type** choose **Basic scanning**.
1. By default all of your repositories are set for **Manual** scanning. You can optionally configure scan on push by specifying **Scan on push filters**. You can set scan on push for all repositories or individual repositories. For more information, see [Filters to choose which repositories are scanned in Amazon ECR](image-scanning-filters.md).
**Note**
If scan on push is enabled for a repository, scans are also done on images that are restored after being archived. No old scans will be available from the restored image.
# Manually scanning an image for OS vulnerabilities in Amazon ECR
If your repositories aren't configured to **scan on push**, you can manually start image scans. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans.
For troubleshooting details for some common issues when scanning images, see [Troubleshooting image scanning in Amazon ECR](image-scanning-troubleshooting.md).
------
#### [ AWS Management Console ]
Use the following steps to start a manual image scan using the AWS Management Console.
1. Open the Amazon ECR console at [ https://console.aws.amazon.com/ecr/private-registry/repositories](https://console.aws.amazon.com/ecr/private-registry/repositories)
1. From the navigation bar, choose the Region to create your repository in.
1. In the navigation pane, choose **Repositories** .
1. On the **Repositories** page, choose the repository that contains the image to scan.
1. On the **Images** page, select the image to scan and then choose **Scan**.
------
#### [ AWS CLI ]
+ [ start-image-scan](https://docs.aws.amazon.com/cli/latest/reference/ecr/start-image-scan.html) (AWS CLI)
The following example uses an image tag.
```
aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2
```
The following example uses an image digest.
```
aws ecr start-image-scan --repository-name name --image-id imageDigest=sha256_hash --region us-east-2
```
------
#### [ AWS Tools for Windows PowerShell ]
+ [ Get-ECRImageScanFinding](https://docs.aws.amazon.com/powershell/latest/reference/items/Start-ECRImageScan.html) (AWS Tools for Windows PowerShell)
The following example uses an image tag.
```
Start-ECRImageScan -RepositoryName name -ImageId_ImageTag tag_name -Region us-east-2 -Force
```
The following example uses an image digest.
```
Start-ECRImageScan -RepositoryName name -ImageId_ImageDigest sha256_hash -Region us-east-2 -Force
```
------
# Retrieving the findings for basic scans in Amazon ECR
You can retrieve the scan findings for the last completed basic image scan. The software vulnerabilities that were discovered are listed by severity based on the Common Vulnerabilities and Exposures (CVEs) database.
For troubleshooting details for some common issues when scanning images, see [Troubleshooting image scanning in Amazon ECR](image-scanning-troubleshooting.md).
------
#### [ AWS Management Console ]
Use the following steps to retrieve image scan findings using the AWS Management Console.
**To retrieve image scan findings**
1. Open the Amazon ECR console at [ https://console.aws.amazon.com/ecr/private-registry/repositories](https://console.aws.amazon.com/ecr/private-registry/repositories)
1. From the navigation bar, choose the Region to create your repository in.
1. In the navigation pane, choose **Repositories** .
1. On the **Repositories** page, choose the repository that contains the image to retrieve the scan findings for.
1. On the **Images** page, under the **Image tag** column, select the image tag to retrieve the scan findings.
------
#### [ AWS CLI ]
Use the following AWS CLI command to retrieve image scan findings using the AWS CLI. You can specify an image using the `imageTag` or ` imageDigest`, both of which can be obtained using the [list-images](https://docs.aws.amazon.com/cli/latest/reference/ecr/list-images.html) CLI command.
+ [ describe-image-scan-findings](https://docs.aws.amazon.com/cli/latest/reference/ecr/describe-image-scan-findings.html) (AWS CLI)
The following example uses an image tag.
```
aws ecr describe-image-scan-findings --repository-name name --image-id imageTag=tag_name --region us-east-2
```
The following example uses an image digest.
```
aws ecr describe-image-scan-findings --repository-name name --image-id imageDigest=sha256_hash --region us-east-2
```
------
#### [ AWS Tools for Windows PowerShell ]
+ [ Get-ECRImageScanFinding](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-ECRImageScanFinding.html) (AWS Tools for Windows PowerShell)
The following example uses an image tag.
```
Get-ECRImageScanFinding -RepositoryName name -ImageId_ImageTag tag_name -Region us-east-2
```
The following example uses an image digest.
```
Get-ECRImageScanFinding -RepositoryName name -ImageId_ImageDigest sha256_hash -Region us-east-2
```
------