Scanning Amazon Elastic Container Registry container images with Amazon Inspector - Amazon Inspector
Scan behaviors for Amazon ECR scanningSupported operating systems and media types

Scanning Amazon Elastic Container Registry container images with Amazon Inspector

Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate package vulnerability findings. When you activate Amazon ECR scanning, you set Amazon Inspector as the preferred scanning service for your private registry.

With basic scanning, you can configure your repositories to scan on push or perform manual scans. With enhanced scanning, you scan for operating system and programming language packages vulnerabilities at the registry level. For a side-by-side comparison of the differences between basic and enhanced scanning, see the Amazon Inspector FAQ.

Note

Basic scanning is provided and billed through Amazon ECR. For more information, see Amazon Elastic Container Registry pricing. Enhanced scanning is provided and billed through Amazon Inspector. For more information, see Amazon Inspector pricing.

For information about how to activate Amazon ECR scanning, see Activating a scan type. For information about how to view your findings, see Managing findings in Amazon Inspector. For information about how to view your findings at the image level, see Image scanning in the Amazon Elastic Container Registry User Guide. You can also manage findings in AWS services not available for basic scanning, like AWS Security Hub and Amazon EventBridge.

This section provides information about Amazon ECR scanning and describes how to configure enhanced scanning for Amazon ECR repositories.

Scan behaviors for Amazon ECR scanning

When you first activate ECR scanning, and your repository is configured for continuous scanning, Amazon Inspector detects all eligible images that you have pushed within 30 days, or pulled within the last 90 days. Then Amazon Inspector scans the detected images and sets their scan status to active. Amazon Inspector continues to monitor images as long as they were pushed or pulled within the last 90 days (by default), or within the ECR rescan duration you configure. For more information, see Configuring the Amazon ECR re-scan duration.

For continuous scanning, Amazon Inspector initiates new vulnerability scans of container images in the following situations:

  • Whenever a new container image is pushed.

  • Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to that container image (continuous scanning only).

If you configure your repository for on push scanning, images are only scanned when you push them.

You can check when a container image was last checked for vulnerabilities from the Container images tab on the Account management page, or by using the ListCoverage API. Amazon Inspector updates the Last scanned at field of an Amazon ECR image in response to the following events:

  • When Amazon Inspector completes an initial scan of a container image.

  • When Amazon Inspector re-scans a container image because a new common vulnerabilities and exposures (CVE) item that impacts that container image was added to the Amazon Inspector database.

Supported operating systems and media types

For information about supported operating systems, see Supported operating systems: Amazon ECR scanning with Amazon Inspector.

Amazon Inspector scans of Amazon ECR repositories cover the following supported media types:

  • "application/vnd.docker.distribution.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v1+prettyjws"

  • "application/vnd.oci.image.manifest.v1+json"

  • "application/vnd.docker.distribution.manifest.v2+json"

    Note

    Scratch images and "application/vnd.docker.distribution.manifest.list.v2+json" images aren't supported.