ECR Repository Image Scanning on Push
Overview
This check verifies that Amazon ECR (Elastic Container Registry) repositories have image scanning on push enabled. When enabled, container images are automatically scanned for known vulnerabilities as soon as they are pushed to the repository.
Note: This check is marked as deprecated by Prowler. AWS now recommends using registry-level scanning configuration (PutRegistryScanningConfiguration) for more comprehensive scanning, including continuous and enhanced scanning options.
Risk
Without automatic image scanning on push, your container images may contain known security vulnerabilities that go undetected:
- Vulnerable containers in production: Images with exploitable CVEs can be deployed without anyone noticing
- Delayed detection: Manual scanning workflows may miss images entirely or scan too late in the pipeline
- Lateral movement risk: Attackers can exploit known vulnerabilities to execute code and move through your environment
- Compliance gaps: Many security frameworks require vulnerability scanning as part of the container lifecycle
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to modify ECR repository settings
- The name of the ECR repository you want to configure
Required IAM permissions (for administrators)
Your IAM user or role needs these permissions:
ecr:PutImageScanningConfigurationecr:DescribeRepositoriesecr:GetRegistryScanningConfiguration(for viewing registry-level settings)ecr:PutRegistryScanningConfiguration(for registry-level configuration)
AWS Console Method
-
Open the ECR Console
- Go to Amazon ECR Console in us-east-1
-
Select your repository
- Find and click on the repository you want to configure
-
Edit the repository
- Click the Edit button (in the repository details page)
-
Enable scan on push
- In the Image scan settings section, toggle Scan on push to enabled
- Click Save
-
Repeat for other repositories
- Repeat steps 2-4 for each repository that needs scanning enabled
AWS CLI (optional)
Enable scan on push for a single repository
aws ecr put-image-scanning-configuration \
--repository-name <your-repository-name> \
--image-scanning-configuration scanOnPush=true \
--region us-east-1
Replace <your-repository-name> with your actual repository name.
Expected output:
{
"registryId": "123456789012",
"repositoryName": "my-app",
"imageScanningConfiguration": {
"scanOnPush": true
}
}
Enable scan on push for all repositories
To enable scanning for all repositories in your account:
for repo in $(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text --region us-east-1); do
echo "Enabling scan on push for: $repo"
aws ecr put-image-scanning-configuration \
--repository-name "$repo" \
--image-scanning-configuration scanOnPush=true \
--region us-east-1
done
Registry-level scanning (recommended alternative)
For more comprehensive scanning, configure scanning at the registry level:
aws ecr put-registry-scanning-configuration \
--scan-type ENHANCED \
--rules '[{"repositoryFilters":[{"filter":"*","filterType":"WILDCARD"}],"scanFrequency":"SCAN_ON_PUSH"}]' \
--region us-east-1
This enables enhanced scanning with continuous monitoring for all repositories.
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: ECR repository with image scanning on push enabled
Parameters:
RepositoryName:
Type: String
Description: Name of the ECR repository
Default: my-application
Resources:
ECRRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Ref RepositoryName
ImageScanningConfiguration:
ScanOnPush: true
ImageTagMutability: IMMUTABLE
EncryptionConfiguration:
EncryptionType: AES256
Tags:
- Key: Environment
Value: Production
Outputs:
RepositoryUri:
Description: URI of the ECR repository
Value: !GetAtt ECRRepository.RepositoryUri
RepositoryArn:
Description: ARN of the ECR repository
Value: !GetAtt ECRRepository.Arn
Deploy with:
aws cloudformation deploy \
--template-file ecr-repository.yaml \
--stack-name ecr-scanning-enabled \
--parameter-overrides RepositoryName=my-app \
--region us-east-1
Terraform (optional)
# ECR repository with scan on push enabled
resource "aws_ecr_repository" "app" {
name = "my-application"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "AES256"
}
tags = {
Environment = "Production"
}
}
# Optional: Registry-level scanning configuration (recommended)
resource "aws_ecr_registry_scanning_configuration" "enhanced" {
scan_type = "ENHANCED"
rule {
scan_frequency = "SCAN_ON_PUSH"
repository_filter {
filter = "*"
filter_type = "WILDCARD"
}
}
}
output "repository_url" {
description = "URL of the ECR repository"
value = aws_ecr_repository.app.repository_url
}
Deploy with:
terraform init
terraform plan
terraform apply
Verification
After enabling scan on push, verify the setting:
-
In the AWS Console:
- Go to Amazon ECR > Repositories
- Click on your repository
- Check that Scan on push shows Enabled in the repository details
-
Test with a new image:
- Push a test image to the repository
- Go to the Images tab and click on the image
- A vulnerability scan should automatically start and show results within a few minutes
CLI verification commands
Check scanning configuration for a specific repository:
aws ecr describe-repositories \
--repository-names <your-repository-name> \
--query 'repositories[0].imageScanningConfiguration' \
--region us-east-1
Expected output when enabled:
{
"scanOnPush": true
}
Check all repositories:
aws ecr describe-repositories \
--query 'repositories[*].[repositoryName,imageScanningConfiguration.scanOnPush]' \
--output table \
--region us-east-1
View scan findings for an image:
aws ecr describe-image-scan-findings \
--repository-name <your-repository-name> \
--image-id imageTag=latest \
--region us-east-1
Additional Resources
- AWS Documentation: Image Scanning
- AWS Documentation: Enabling Image Scanning
- AWS Documentation: Enhanced Scanning with Amazon Inspector
- AWS Documentation: Registry Scanning Configuration
Notes
- Deprecated check: This check validates repository-level scanning, which AWS has deprecated in favor of registry-level scanning configuration. Consider enabling enhanced scanning at the registry level for better coverage.
- Basic vs Enhanced scanning: Basic scanning uses the open-source Clair project and scans for OS package vulnerabilities. Enhanced scanning uses Amazon Inspector and also detects vulnerabilities in programming language packages (Python, Java, Node.js, etc.).
- Existing images: Enabling scan on push only affects newly pushed images. To scan existing images, use the
start-image-scanCLI command or manually trigger a scan from the console. - Scan frequency: With basic scanning, images are scanned once on push. Enhanced scanning supports continuous scanning, which monitors for newly published vulnerabilities.
- No additional cost for basic scanning: Basic image scanning is included with ECR at no extra charge. Enhanced scanning with Amazon Inspector incurs additional costs based on the number of images scanned.
- Scan results retention: Scan findings are retained until the image is deleted from the repository.