Supported operating systems and programming languages for Amazon Inspector
Amazon Inspector can scan software applications that are installed on the following:
-
Amazon Elastic Compute Cloud (Amazon EC2) instances
Note
For Amazon EC2 instances, Amazon Inspector can scan for package vulnerabilities in operating systems that support agent-based scanning. Amazon Inspector can also scan for package vulnerabilities in operating systems and programming languages that support hybrid scanning. Amazon Inspector does not scan for toolchain vulnerabilities. The version of the programming language compiler used to build the application introduces these vulnerabilities.
-
Container images stored in Amazon Elastic Container Registry (Amazon ECR) repositories
Note
For ECR container images, Amazon Inspector can scan for operating system and programming language package vulnerabilities. Amazon Inspector does not scan for toolchain vulnerabilities. The version of the programming language compiler used to build the application introduces these vulnerabilities.
-
AWS Lambda functions
Note
For Lambda functions, Amazon Inspector can scan for programming language package vulnerabilities and code vulnerabilities. Amazon Inspector does not scan for toolchain vulnerabilities. The version of the programming language compiler used to build the application introduces these vulnerabilities.
When Amazon Inspector scans resources, Amazon Inspector sources more than 50 data feeds to generate findings for common vulnerabilities and exposures (CVEs). Examples of these sources include vendor security advisories data feeds and threat intelligence feeds, as well as the National Vulnerability Database (NVD) and MITRE. Amazon Inspector updates vulnerability data from source feeds at least once daily.
For Amazon Inspector to scan a resource, the resource must be running a supported operating system or using a supported programming language. The topics in this section list the operating systems, programming languages, and runtimes Amazon Inspector supports for different resources and scan types. They also list discontinued operating systems.
Note
Amazon Inspector can provide only limited support for an operating system after a vendor discontinues support for the operating system.
Topics
Supported operating systems
This section lists the operating systems Amazon Inspector supports.
Supported operating systems: Amazon EC2 scanning
The following table lists the operating systems Amazon Inspector supports for the scanning of Amazon EC2 instances. It specifies the vendor security advisory for each operating system and which operating systems support agent-based scanning and agentless scanning.
Note
When using the agent-based scanning method, you configure the SSM agent to perform continuous scans on all eligible instances. Amazon Inspector recommends that you configure a version of the SSM agent that's greater than 3.2.2086.0. For more information, see Working with the SSM Agent in the Amazon EC2 Systems Manager User Guide.
Linux operating system detections are supported only for the default package manager repository (rpm and dpkg) and don't include third-party applications, extended support repositories (BYOS RHEL, PAYG RHEL, and RHEL for SAP), and optional repositories (application streams).
Operating system | Version | Vendor security advisories | Agentless scan support | Agent-based scan support |
---|---|---|---|---|
AlmaLinux | 8 | ALSA | Yes | Yes |
AlmaLinux | 9 | ALSA | Yes | Yes |
Amazon Linux (AL2) | AL2 | ALAS | Yes | Yes |
Amazon Linux 2023 (AL2023) | AL2023 | ALAS | Yes | Yes |
Bottlerocket | 1.7.0 and later | GHSA, CVE | No | Yes |
Debian Server (Bullseye) | 11 | DSA | Yes | Yes |
Debian Server (Bookworm) | 12 | DSA | Yes | Yes |
Fedora | 40 | CVE | Yes | Yes |
OpenSUSE Leap | 15.5 | CVE | Yes | Yes |
OpenSUSE Leap | 15.6 | CVE | Yes | Yes |
Oracle Linux (Oracle) | 7 | ELSA | Yes | Yes |
Oracle Linux (Oracle) | 8 | ELSA | Yes | Yes |
Oracle Linux (Oracle) | 9 | ELSA | Yes | Yes |
Red Hat Enterprise Linux (RHEL) | 8 | RHSA | Yes | Yes |
Red Hat Enterprise Linux (RHEL) | 9 | RHSA | Yes | Yes |
Rocky Linux | 8 | RLSA | Yes | Yes |
Rocky Linux | 9 | RLSA | Yes | Yes |
SUSE Linux Enterprise Server (SLES) | 12.5 | SUSE CVE | Yes | Yes |
SUSE Linux Enterprise Server (SLES) | 15.5 | SUSE CVE | Yes | Yes |
SUSE Linux Enterprise Server (SLES) | 15.6 | SUSE CVE | Yes | Yes |
Ubuntu (Xenial) | 16.04 (ESM) | USN, Ubuntu Pro | Yes | Yes |
Ubuntu (Bionic) | 18.04 (ESM) | USN, Ubuntu Pro | Yes | Yes |
Ubuntu (Focal) | 20.04 (LTS) | USN | Yes | Yes |
Ubuntu (Jammy) | 22.04 (LTS) | USN | Yes | Yes |
Ubuntu (Noble Numbat) | 24.04 | USN | Yes | Yes |
Ubuntu (Oracular Oriole) | 24.10 | USN | Yes | Yes |
Windows Server | 2016 | MSKB | No | Yes |
Windows Server | 2019 | MSKB | No | Yes |
Windows Server | 2022 | MSKB | No | Yes |
macOS (Mojave) | 10.14 | APPLE-SA | No | Yes |
macOS (Catalina) | 10.15 | APPLE-SA | No | Yes |
macOS (Big Sur) | 11 | APPLE-SA | No | Yes |
macOS (Monterey) | 12 | APPLE-SA | No | Yes |
macOS (Ventura) | 13 | APPLE-SA | No | Yes |
macOS (Sonoma) | 14 | APPLE-SA | No | Yes |
Supported operating systems: Amazon ECR scanning with Amazon Inspector
The following table lists the operating systems Amazon Inspector supports for the scanning of container images in Amazon ECR repositories. It also specifies the vendor security advisory for each operating system.
Operating system | Version | Vendor security advisories |
---|---|---|
Alpine Linux (Alpine) | 3.18 | Alpine SecDB |
Alpine Linux (Alpine) | 3.19 | Alpine SecDB |
Alpine Linux (Alpine) | 3.20 | Alpine SecDB |
AlmaLinux | 8 | ALSA |
AlmaLinux | 9 | ALSA |
Amazon Linux (AL2) | AL2 | ALAS |
Amazon Linux 2023 (AL2023) | AL2023 | ALAS |
Debian Server (Bullseye) | 11 | DSA |
Debian Server (Bookworm) | 12 | DSA |
Fedora | 40 | CVE |
OpenSUSE Leap | 15.5 | CVE |
OpenSUSE Leap | 15.6 | CVE |
Oracle Linux (Oracle) | 7 | ELSA |
Oracle Linux (Oracle) | 8 | ELSA |
Oracle Linux (Oracle) | 9 | ELSA |
Photon OS | 4 | PHSA |
Photon OS | 5 | PHSA |
Red Hat Enterprise Linux (RHEL) | 8 | RHSA |
Red Hat Enterprise Linux (RHEL) | 9 | RHSA |
Rocky Linux | 8 | RLSA |
Rocky Linux | 9 | RLSA |
SUSE Linux Enterprise Server (SLES) | 12.5 | SUSE CVE |
SUSE Linux Enterprise Server (SLES) | 15.5 | SUSE CVE |
SUSE Linux Enterprise Server (SLES) | 15.6 | SUSE CVE |
Ubuntu (Xenial) | 16.04 (ESM) | USN, Ubuntu Pro |
Ubuntu (Bionic) | 18.04 (ESM) | USN, Ubuntu Pro |
Ubuntu (Focal) | 20.04 (LTS) | USN |
Ubuntu (Jammy) | 22.04 (LTS) | USN |
Ubuntu (Noble Numbat) | 24.04 | USN |
Ubuntu (Oracular Oriole) | 24.10 | USN |
Supported operating systems: CIS scanning
The following table lists the operating systems Amazon Inspector supports for CIS scans. It also specifies the CIS benchmark version for each operating system.
Operating system | Version | CIS benchmark version |
---|---|---|
Amazon Linux 2 | AL2 | 2.0.0 |
Amazon Linux 2023 | AL2023 | 1.0.0 |
Red Hat Enterprise Linux (RHEL) | 8 | 3.0.0 |
Red Hat Enterprise Linux (RHEL) | 9 | 1.0.0 |
Rocky Linux | 8 | 2.0.0 |
Rocky Linux | 9 | 1.0.0 |
Ubuntu (Bonic) | 18.04 (LTS) | 2.1.0 |
Ubuntu (Focal) | 20.04 (LTS) | 2.0.1 |
Ubuntu (Jammy) | 22.04 (LTS) | 1.0.0 |
Windows Server | 2016 | 3.0.0 |
Windows Server | 2019 | 2.0.0 |
Windows Server | 2022 | 2.0.0 |
Discontinued operating systems
The following tables list which operatings systems have been discontinued and when they were discontinued.
Even though Amazon Inspector doesn't provide full support for the following discontinued operating systems, Amazon Inspector continues to scan the Amazon EC2 instances and Amazon ECR container images running them. As a security best practice, we recommend moving to the supported version of a discontinued operating system. Findings that Amazon Inspector generates for a discontinued operating system should be used for informational purposes only.
In accordance with vendor policy, the following operating systems no longer receive patch updates. New security advisories might not be released for discontinued operating systems. Vendors can remove existing security advisories and detections from their feeds for operating systems that reach the end of standard support. As a result, Amazon Inspector can stop generating findings for known CVEs.
Discontinued operating systems: Amazon EC2 scanning
Operating system | Version | Discontinued |
---|---|---|
Amazon Linux (AL1) | 2012 | December 31, 2021 |
CentOS Linux (CentOS) | 7 | June 30, 2024 |
CentOS Linux (CentOS) | 8 | December 31, 2021 |
Debian Server (Stretch) | 9 | June 30, 2022 |
Debian Server (Buster) | 10 | June 30, 2024 |
Fedora | 35 | December 13, 2022 |
Fedora | 36 | May 16, 2023 |
Fedora | 37 | December 15, 2023 |
Fedora | 38 | May 21, 2024 |
Fedora | 39 | November 26, 2024 |
OpenSUSE Leap | 15.2 | December 1, 2021 |
OpenSUSE Leap | 15.3 | December 1, 2022 |
OpenSUSE Leap | 15.4 | December 7, 2023 |
Oracle Linux (Oracle) | 6 | March 1, 2021 |
Red Hat Enterprise Linux (RHEL) | 7 | June 30, 2024 |
SUSE Linux Enterprise Server (SLES) | 12 | June 30, 2016 |
SUSE Linux Enterprise Server (SLES) | 12.1 | May 31, 2017 |
SUSE Linux Enterprise Server (SLES) | 12.2 | March 31, 2018 |
SUSE Linux Enterprise Server (SLES) | 12.3 | June 30, 2019 |
SUSE Linux Enterprise Server (SLES) | 12.4 | June 30, 2020 |
SUSE Linux Enterprise Server (SLES) | 15 | December 31, 2019 |
SUSE Linux Enterprise Server (SLES) | 15.1 | January 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.2 | December 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.3 | December 31, 2022 |
SUSE Linux Enterprise Server (SLES) | 15.4 | December 31, 2023 |
Ubuntu (Trusty) | 14.04 (ESM) | April 1, 2024 |
Ubuntu (Groovy) | 20.10 | July 22, 2021 |
Ubuntu (Hirsute) | 21.04 | January 20, 2022 |
Ubuntu (Impish) | 21.10 | July 31, 2022 |
Ubuntu (Kinetic) | 22.10 | July 20, 2023 |
Ubuntu (Lunar Lobster) | 23.04 | January 25, 2024 |
Ubuntu (Mantic Minotaur) | 23.10 | July 11, 2024 |
Windows Server | 2012 | October 10, 2023 |
Windows Server | 2012 R2 | October 10, 2023 |
Discontinued operating systems: Amazon ECR scanning
Operating system | Version | Discontinued |
---|---|---|
Alpine Linux (Alpine) | 3.12 | May 1, 2022 |
Alpine Linux (Alpine) | 3.13 | November 1, 2022 |
Alpine Linux (Alpine) | 3.14 | May 1, 2023 |
Alpine Linux (Alpine) | 3.15 | November 1, 2023 |
Alpine Linux (Alpine) | 3.16 | May 23, 2024 |
Alpine Linux (Alpine) | 3.17 | November 22, 2024 |
Amazon Linux (AL1) | 2012 | December 31, 2021 |
CentOS Linux (CentOS) | 7 | June 30, 2024 |
CentOS Linux (CentOS) | 8 | December 31, 2021 |
Debian Server (Stretch) | 9 | June 30, 2022 |
Debian Server (Buster) | 10 | June 30, 2024 |
Fedora | 35 | December 13, 2022 |
Fedora | 36 | May 16, 2023 |
Fedora | 37 | December 15, 2023 |
Fedora | 38 | May 21, 2024 |
Fedora | 39 | November 26, 2024 |
OpenSUSE Leap | 15.2 | December 1, 2021 |
OpenSUSE Leap | 15.3 | December 1, 2022 |
OpenSUSE Leap | 15.4 | December 7, 2023 |
Oracle Linux (Oracle) | 6 | March 1, 2021 |
Photon OS | 3 | March 1, 2024 |
Red Hat Enterprise Linux (RHEL) | 7 | June 30, 2024 |
SUSE Linux Enterprise Server (SLES) | 12 | June 30, 2016 |
SUSE Linux Enterprise Server (SLES) | 12.1 | May 31, 2017 |
SUSE Linux Enterprise Server (SLES) | 12.2 | March 31, 2018 |
SUSE Linux Enterprise Server (SLES) | 12.3 | June 30, 2019 |
SUSE Linux Enterprise Server (SLES) | 12.4 | June 30, 2020 |
SUSE Linux Enterprise Server (SLES) | 15 | December 31, 2019 |
SUSE Linux Enterprise Server (SLES) | 15.1 | January 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.2 | December 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.3 | December 31, 2022 |
SUSE Linux Enterprise Server (SLES) | 15.4 | December 31, 2023 |
Ubuntu (Trusty) | 14.04 (ESM) | April 1, 2024 |
Ubuntu (Groovy) | 20.10 | July 22, 2021 |
Ubuntu (Hirsute) | 21.04 | January 20, 2022 |
Ubuntu (Impish) | 21.10 | July 31, 2022 |
Ubuntu (Kinetic) | 22.10 | July 20, 2023 |
Ubuntu (Lunar Lobster) | 23.04 | January 25, 2024 |
Ubuntu (Mantic Minotaur) | 23.10 | July 11, 2024 |
Supported programming languages
This section lists the programming launguages Amazon Inspector supports.
Supported programming languages: Amazon EC2 agentless scanning
Amazon Inspector currently supports the following programming languages when performing agentless scans on eligible Amazon EC2 instances. For more information, see agentless scanning.
Note
Amazon Inspector doesn't scan for tooolchain vulnerabilities in Go and Rust. The version of the programming language compiler used to build the application introduces these vulnerabilities.
-
C#
-
Go
-
Java
-
JavaScript
-
PHP
-
Python
-
Ruby
-
Rust
Supported programming languages: Amazon EC2 deep inspection
Amazon Inspector currently supports the following programming languages when performing deep inspection scans on Amazon EC2 Linux instances. For more information, see Amazon Inspector deep inspection for Linux-based Amazon EC2 instances.
-
Java (.ear, .jar, .par, and .war archive formats)
-
JavaScript
-
Python
Amazon Inspector uses Systems Manager Distributor to deploy the plugin for deep inspection of your Amazon EC2 instance.
Note
Deep inspection is not supported for Bottlerocket operating systems.
To perform deep inspection scans, Systems Manager Distributor and Amazon Inspector must support your Amazon EC2 instance operating system. For information about supported operating systems in Systems Manager Distributor, see Supported package platforms and architectures in the Systems Manager User Guide.
Supported programming languages: Amazon ECR scanning
Amazon Inspector currently supports the following programming languages when scanning container images in Amazon ECR repositories:
Note
Amazon Inspector doesn't scan for tooolchain vulnerabilities in Go and Rust. The version of the programming language compiler used to build the application introduces these vulnerabilities.
-
C#
-
Go
-
Java
-
JavaScript
-
PHP
-
Python
-
Ruby
-
Rust
Supported runtimes
This section lists the runtimes Amazon Inspector supports.
Supported runtimes: Amazon Inspector Lambda standard scanning
Amazon Inspector Lambda standard scanning currently supports the following runtimes for the programming languages it can use when scanning Lambda functions for vulnerabilities in third-party software packages:
Note
Amazon Inspector doesn't scan for tooolchain vulnerabilities in Go and Rust. The version of the programming language compiler used to build the application introduces these vulnerabilities.
-
Go
-
go1.x
-
-
Java
-
java8
-
java8.al2
-
java11
-
java17
-
java21
-
-
.NET
-
.NET 6
-
.NET 8
-
-
Node.js
-
nodejs12.x
-
nodejs14.x
-
nodejs16.x
-
nodejs18.x
-
nodejs20.x
-
-
Python
-
python3.7
-
python3.8
-
python3.9
-
python3.10
-
python3.11
-
python3.12
-
-
Ruby
-
ruby2.7
-
ruby3.2
-
ruby3.3
-
-
Custom runtimes
-
AL2
-
AL2023
-
Supported runtimes: Amazon Inspector Lambda code scanning
Amazon Inspector Lambda code scanning currently supports the following runtimes for the programming languages it can use when scanning Lambda functions for vulnerabilities in code:
-
Java
-
java8
-
java8.al2
-
java11
-
java17
-
-
.NET
-
.NET 6
-
.NET 8
-
-
Node.js
-
nodejs12.x
-
nodejs14.x
-
nodejs16.x
-
nodejs18.x
-
nodejs20.x
-
-
Python
-
python3.7
-
python3.8
-
python3.9
-
python3.10
-
python3.11
-
python3.12
-
-
Ruby
-
ruby2.7
-
ruby3.2
-
ruby3.3
-