Skip to main content

ECR Repository Latest Image Has No Vulnerabilities

Overview

This check verifies that the most recent container image pushed to your Amazon ECR (Elastic Container Registry) repositories has been scanned for vulnerabilities and has no findings at or above your configured severity threshold (such as CRITICAL or HIGH).

Risk

Running container images with unpatched vulnerabilities exposes your workloads to serious risks:

  • Code execution: Attackers can exploit known CVEs to run malicious code inside your containers
  • Data exfiltration: Vulnerabilities may allow unauthorized access to sensitive data
  • Service disruption: Exploits can crash containers or degrade performance
  • Lateral movement: Compromised containers can be used to attack other resources in your environment
  • Supply chain attacks: Vulnerable base images can propagate risks across your entire application stack

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to manage ECR repositories
  • Access to your container image build pipeline to fix vulnerabilities
Required IAM permissions (for administrators)

Your IAM user or role needs these permissions:

  • ecr:PutImageScanningConfiguration
  • ecr:StartImageScan
  • ecr:DescribeImageScanFindings
  • ecr:DescribeImages
  • ecr:DescribeRepositories
  • ecr:PutRegistryScanningConfiguration (for registry-level scanning)

AWS Console Method

Step 1: Enable scan-on-push for your repository

  1. Go to Amazon ECR Console
  2. Click on the repository name that failed the check
  3. Click Edit (or select the repository and click Edit from the Actions menu)
  4. Under Image scan settings, enable Scan on push
  5. Click Save

Step 2: Scan existing images (if needed)

  1. In the repository, click the Images tab
  2. Select the image(s) you want to scan
  3. Click Scan from the Actions dropdown

Step 3: Review scan results

  1. In the repository, click the Images tab
  2. Look at the Vulnerabilities column for each image
  3. Click on the vulnerability count to see details

Step 4: Fix vulnerabilities in your images

  1. Review the scan findings to identify vulnerable packages
  2. Update your Dockerfile to use patched base images or package versions
  3. Rebuild and push a new image
  4. Verify the new image scans clean
AWS CLI (optional)

Enable scan-on-push for a repository

aws ecr put-image-scanning-configuration \
    --repository-name <your-repository-name> \
    --image-scanning-configuration scanOnPush=true \
    --region us-east-1

Expected output:

{
    "registryId": "123456789012",
    "repositoryName": "my-app",
    "imageScanningConfiguration": {
        "scanOnPush": true
    }
}

Manually start a scan on an existing image

aws ecr start-image-scan \
    --repository-name <your-repository-name> \
    --image-id imageTag=latest \
    --region us-east-1

Note: Basic scans can only be run once per image per 24 hours.

Check scan status and findings

aws ecr describe-image-scan-findings \
    --repository-name <your-repository-name> \
    --image-id imageTag=latest \
    --region us-east-1

Enable scan-on-push for all repositories in a region

for repo in $(aws ecr describe-repositories --region us-east-1 --query 'repositories[].repositoryName' --output text); do
    echo "Enabling scan-on-push for $repo..."
    aws ecr put-image-scanning-configuration \
        --repository-name "$repo" \
        --image-scanning-configuration scanOnPush=true \
        --region us-east-1
done

Get summary of vulnerabilities across all repositories

for repo in $(aws ecr describe-repositories --region us-east-1 --query 'repositories[].repositoryName' --output text); do
    echo "=== $repo ==="
    aws ecr describe-images \
        --repository-name "$repo" \
        --region us-east-1 \
        --query 'imageDetails[*].[imageTags[0],imageScanFindingsSummary.findingSeverityCounts]' \
        --output table
done
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: ECR repository with vulnerability scanning enabled

Resources:
  MyECRRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: my-application
      ImageScanningConfiguration:
        ScanOnPush: true
      ImageTagMutability: IMMUTABLE
      EncryptionConfiguration:
        EncryptionType: KMS
      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [
              {
                "rulePriority": 1,
                "description": "Keep only 10 images",
                "selection": {
                  "tagStatus": "any",
                  "countType": "imageCountMoreThan",
                  "countNumber": 10
                },
                "action": {
                  "type": "expire"
                }
              }
            ]
          }
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  RepositoryUri:
    Description: The URI of the ECR repository
    Value: !GetAtt MyECRRepository.RepositoryUri
  RepositoryArn:
    Description: The ARN of the ECR repository
    Value: !GetAtt MyECRRepository.Arn

Deploy with:

aws cloudformation deploy \
    --template-file ecr-repository.yaml \
    --stack-name ecr-secure-repository \
    --region us-east-1
Terraform (optional)
# ECR repository with vulnerability scanning enabled
resource "aws_ecr_repository" "app" {
  name                 = "my-application"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }

  encryption_configuration {
    encryption_type = "KMS"
  }

  tags = {
    Environment = "Production"
  }
}

# Lifecycle policy to limit stored images
resource "aws_ecr_lifecycle_policy" "app" {
  repository = aws_ecr_repository.app.name

  policy = jsonencode({
    rules = [
      {
        rulePriority = 1
        description  = "Keep only 10 images"
        selection = {
          tagStatus   = "any"
          countType   = "imageCountMoreThan"
          countNumber = 10
        }
        action = {
          type = "expire"
        }
      }
    ]
  })
}

output "repository_url" {
  description = "The URL of the ECR repository"
  value       = aws_ecr_repository.app.repository_url
}

output "repository_arn" {
  description = "The ARN of the ECR repository"
  value       = aws_ecr_repository.app.arn
}

Deploy with:

terraform init
terraform plan
terraform apply
Using Amazon Inspector for Enhanced Scanning

AWS recommends using Amazon Inspector for more comprehensive container scanning. Inspector provides:

  • Continuous scanning (not just on push)
  • Operating system and programming language package scanning
  • Integration with AWS Security Hub

To enable Inspector scanning for ECR:

  1. Go to Amazon Inspector Console
  2. Click Get Started or navigate to Settings > Account management
  3. Enable ECR container scanning
  4. Inspector will automatically scan images as they are pushed

Note: Amazon Inspector has additional costs based on the number of images scanned.

Verification

After enabling scanning and remediating vulnerabilities:

  1. In the AWS Console:

    • Go to ECR > Repositories > [your repository] > Images
    • Check the Vulnerabilities column shows 0 or acceptable findings
    • Verify scan status shows Complete

  2. Test with a new image:

    • Push a new image to the repository
    • Confirm it is automatically scanned
    • Verify no critical or high vulnerabilities are found
CLI verification commands

Check if scan-on-push is enabled:

aws ecr describe-repositories \
    --repository-names <your-repository-name> \
    --region us-east-1 \
    --query 'repositories[].imageScanningConfiguration'

Expected output when enabled:

[
    {
        "scanOnPush": true
    }
]

Check scan findings for the latest image:

aws ecr describe-image-scan-findings \
    --repository-name <your-repository-name> \
    --image-id imageTag=latest \
    --region us-east-1 \
    --query '{Status: imageScanStatus.status, Findings: imageScanFindings.findingSeverityCounts}'

Expected output when clean:

{
    "Status": "COMPLETE",
    "Findings": {}
}

Additional Resources

Notes

  • Scan frequency: Basic ECR scans can only run once per image per 24 hours. For continuous scanning, use Amazon Inspector.
  • Scan types: ECR offers basic scanning (using Clair) and enhanced scanning (using Amazon Inspector). Enhanced scanning provides more comprehensive vulnerability detection.
  • False positives: Some findings may be false positives or not applicable to your use case. Review findings carefully before dismissing them.
  • Base image selection: Use minimal, well-maintained base images (like Alpine or distroless) to reduce the attack surface.
  • Vulnerability remediation: To fix vulnerabilities, update your base image and/or package versions in your Dockerfile, rebuild, and push a new image.
  • Severity thresholds: Configure your Prowler check to alert on the severity level appropriate for your organization (CRITICAL, HIGH, MEDIUM, etc.).
  • Deprecation notice: The PutImageScanningConfiguration API is being deprecated in favor of registry-level scanning configuration via PutRegistryScanningConfiguration. Consider migrating to registry-level settings for centralized management.