ECR Registry Image Scanning on Push
Overview
This check verifies that your Amazon ECR (Elastic Container Registry) has image scanning configured to automatically scan container images when they are pushed. The registry-level scanning configuration should apply to all repositories without restrictive filters, using either basic or enhanced scanning.
Risk
Without automatic image scanning on push, vulnerable container images may be deployed without detection:
- Exploitation of known vulnerabilities: Unscanned images may contain known CVEs enabling remote code execution, privilege escalation, or other attacks
- Supply chain compromise: Malicious code in base images or dependencies goes undetected
- Lateral movement: Attackers can use vulnerable containers to move through your environment
- Compliance violations: Many security frameworks require vulnerability scanning of container images
- Delayed detection: Manual scanning or no scanning means vulnerabilities are discovered late (if at all), increasing remediation costs
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to modify ECR registry settings
- If using enhanced scanning, Amazon Inspector must be available in your region
Required IAM permissions (for administrators)
Your IAM user or role needs these permissions:
ecr:PutRegistryScanningConfigurationecr:GetRegistryScanningConfigurationecr:DescribeRegistryinspector2:Enable(only if enabling enhanced scanning)
AWS Console Method
-
Open the ECR Console
- Go to Amazon ECR Console in us-east-1
-
Navigate to Registry Settings
- In the left sidebar, click Private registry
- Click Settings or go directly to ECR Registry Settings
-
Configure Scanning
- Find the Scanning section
- Click Edit
-
Select Scanning Type
- Choose Enhanced scanning (recommended) or Basic scanning
- Enhanced scanning uses Amazon Inspector for deeper vulnerability analysis
- Basic scanning uses the open-source Clair scanner
-
Enable Scan on Push
- Under Scan on push filters, click Add filter
- Set the filter type to Wildcard
- Enter
*as the filter value (this applies to all repositories) - Make sure Scan on push is enabled for this filter
-
Save Changes
- Click Save to apply the configuration
AWS CLI (optional)
Enable basic scanning on push for all repositories
aws ecr put-registry-scanning-configuration \
--scan-type BASIC \
--rules '[{"scanFrequency":"SCAN_ON_PUSH","repositoryFilters":[{"filter":"*","filterType":"WILDCARD"}]}]' \
--region us-east-1
Enable enhanced scanning on push for all repositories (recommended)
aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[{"scanFrequency":"SCAN_ON_PUSH","repositoryFilters":[{"filter":"*","filterType":"WILDCARD"}]}]' \
--region us-east-1
Expected output:
{
"registryScanningConfiguration": {
"scanType": "ENHANCED",
"rules": [
{
"scanFrequency": "SCAN_ON_PUSH",
"repositoryFilters": [
{
"filter": "*",
"filterType": "WILDCARD"
}
]
}
]
}
}
Enable enhanced scanning with continuous scanning
For production workloads, you can enable both scan-on-push and continuous scanning:
aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[
{"scanFrequency":"SCAN_ON_PUSH","repositoryFilters":[{"filter":"*","filterType":"WILDCARD"}]},
{"scanFrequency":"CONTINUOUS_SCAN","repositoryFilters":[{"filter":"prod-*","filterType":"WILDCARD"}]}
]' \
--region us-east-1
This enables scan-on-push for all repositories and continuous scanning for production repositories (those prefixed with prod-).
CloudFormation (optional)
CloudFormation does not directly support configuring ECR registry-level scanning settings. You can use a CloudFormation Custom Resource with a Lambda function to configure this.
Here is an example Custom Resource approach:
AWSTemplateFormatVersion: '2010-09-09'
Description: Configure ECR registry scanning via Custom Resource
Resources:
ECRScanningConfigFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: ecr-scanning-config
Runtime: python3.11
Handler: index.handler
Timeout: 60
Role: !GetAtt LambdaRole.Arn
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
ecr = boto3.client('ecr')
try:
if event['RequestType'] in ['Create', 'Update']:
ecr.put_registry_scanning_configuration(
scanType=event['ResourceProperties']['ScanType'],
rules=[{
'scanFrequency': 'SCAN_ON_PUSH',
'repositoryFilters': [{'filter': '*', 'filterType': 'WILDCARD'}]
}]
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ECRScanningConfig
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:PutRegistryScanningConfiguration
- ecr:GetRegistryScanningConfiguration
Resource: '*'
ECRScanningConfig:
Type: Custom::ECRScanningConfig
Properties:
ServiceToken: !GetAtt ECRScanningConfigFunction.Arn
ScanType: ENHANCED
Note: For individual repository scanning, you can use the ScanOnPush property:
Resources:
MyRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: my-app
ImageScanningConfiguration:
ScanOnPush: true
However, this per-repository approach does not satisfy the registry-level check.
Terraform (optional)
# Configure ECR registry scanning
resource "aws_ecr_registry_scanning_configuration" "scanning" {
scan_type = "ENHANCED"
rule {
scan_frequency = "SCAN_ON_PUSH"
repository_filter {
filter = "*"
filter_type = "WILDCARD"
}
}
}
# Optional: Add continuous scanning for production repositories
resource "aws_ecr_registry_scanning_configuration" "scanning_with_continuous" {
scan_type = "ENHANCED"
rule {
scan_frequency = "SCAN_ON_PUSH"
repository_filter {
filter = "*"
filter_type = "WILDCARD"
}
}
rule {
scan_frequency = "CONTINUOUS_SCAN"
repository_filter {
filter = "prod-*"
filter_type = "WILDCARD"
}
}
}
# Example: Create a repository (inherits registry scanning settings)
resource "aws_ecr_repository" "app" {
name = "my-app"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
}
output "scanning_configuration" {
description = "ECR registry scanning configuration"
value = {
scan_type = aws_ecr_registry_scanning_configuration.scanning.scan_type
rules = aws_ecr_registry_scanning_configuration.scanning.rule
}
}
Deploy with:
terraform init
terraform plan
terraform apply
Verification
After configuring registry scanning, verify the settings:
-
In the AWS Console:
- Go to ECR > Private registry > Settings
- Check that Scanning type shows your selected option (Enhanced or Basic)
- Verify that the filter is set to
*with Scan on push enabled
-
Test with a new image:
- Push a container image to any repository
- Check the image details - scanning should start automatically
- View scan findings in the Vulnerabilities tab
CLI verification commands
Check current scanning configuration:
aws ecr get-registry-scanning-configuration --region us-east-1
Expected output when properly configured:
{
"registryId": "123456789012",
"scanningConfiguration": {
"scanType": "ENHANCED",
"rules": [
{
"scanFrequency": "SCAN_ON_PUSH",
"repositoryFilters": [
{
"filter": "*",
"filterType": "WILDCARD"
}
]
}
]
}
}
Check scan findings for a specific image:
aws ecr describe-image-scan-findings \
--repository-name my-app \
--image-id imageTag=latest \
--region us-east-1
Additional Resources
- AWS Documentation: Amazon ECR Image Scanning
- AWS Documentation: Enhanced Scanning with Amazon Inspector
- AWS Documentation: Registry Scanning Configuration
- Amazon Inspector Documentation
Notes
- Basic vs Enhanced Scanning: Basic scanning uses Clair (open-source) and scans only OS packages. Enhanced scanning uses Amazon Inspector and includes scanning of programming language packages (npm, pip, etc.). Enhanced scanning is recommended for comprehensive coverage.
- Cost considerations: Basic scanning is free. Enhanced scanning incurs Amazon Inspector charges based on the number of images scanned. See Amazon Inspector pricing.
- Per-region setting: Registry scanning configuration is per-region. Configure scanning in each AWS region where you use ECR.
- Existing images: Enabling scan-on-push only affects newly pushed images. To scan existing images, use the
start-image-scanAPI or re-push the images. - Scan frequency options: Enhanced scanning supports
SCAN_ON_PUSH(scan when pushed),CONTINUOUS_SCAN(rescan periodically for new CVEs), andMANUAL(no automatic scanning). - CI/CD integration: Integrate scan findings into your CI/CD pipeline to prevent deploying images with critical vulnerabilities. You can use EventBridge rules to trigger alerts or block deployments based on scan results.
- Filter precedence: If multiple rules match a repository, the more specific filter takes precedence. Using
*ensures all repositories are covered.