Configuring the Amazon ECR re-scan duration - Amazon Inspector

Configuring the Amazon ECR re-scan duration

The Amazon ECR re-scan duration setting determines how long Amazon Inspector continuously monitors container images in repositories. You configure the re-scan duration for the image push date and image pull date. As a best practice, configure the re-scan duration to best suit your environment. For example, if you build images often, choose a shorter scan duration. For images used over long periods of time, choose a longer scan duration. The default scan duration for new accounts, including new accounts added to an organization, is 90 days. Amazon Inspector will continue to monitor and rescan an image as long as it's been pushed or pulled within the configured push and pull dates. If the image hasn’t been pushed or pulled within the configured push and pull dates, Amazon Inspector stops monitoring it. When Amazon Inspector stops monitoring an image, it sets the image scan status code to inactive and reason code to expired. Amazon Inspector then schedules all associated image findings to be closed. If you increase the push date duration, Amazon Inspector applies the change to all actively scanned images in repositories configured for continual scanning. However, inactive images remain inactive, even if you pushed them within the new duration.

Note

When you configure the re-scan duration from a delegated administrator account, Amazon Inspector applies the setting to all member accounts in the organization.

Image push date duration

The image push date duration determines how long Amazon Inspector continuously monitors images after they were pushed to repositories following the latest pull date. The following options are available as re-scan durations:

  • 14 days

  • 30 days

  • 60 days

  • 90 days (default)

  • 180 days

  • Lifetime

Image pull date duration

The image pull date duration determines how long Amazon Inspector continuously monitors images after the latest pull date. The following options are available as re-scan durations:

  • 14 days

  • 30 days

  • 60 days

  • 90 days (default)

  • 180 days

To configure the Amazon ECR re-scan duration
  1. Sign in using your credentials, and then open the Amazon Inspector console at https://console.aws.amazon.com/inspector/v2/home.

  2. Select the AWS Region where you want to configure the Amazon ECR re-scan duration.

  3. From the navigation pane, choose General settings, and then choose ECR scanning settings.

  4. On ECR scanning settings, under ECR re-scan duration, choose the image push date duration and image pull date duration that you want to set.

  5. Choose Save.