Basic scanning
The improved basic scanning feature is in preview release for Amazon ECR and is subject to change. During this public preview, you can only use the Amazon Web Services Management Console to opt-in for the Improved basic scanning version. |
Amazon ECR provides two versions of basic scanning which use the Common Vulnerabilities
and Exposures (CVEs) database; the current GA version that uses the open-source
Clair project and a newly improved version of basic scanning (in preview) that uses
our Amazon native technology. With either version of Amazon ECR basic scanning enabled on
your private registry, you can configure repository filters to specify which
repositories are set to scan on push or you can perform manual scans. Amazon ECR provides
a list of scan findings. Each container image may be scanned once per 24 hours. You
can review the scan findings for information about the security of the container
images that are being deployed by using the DescribeImageScanFindings
API or within the console. For more information about Clair, see Clair
Amazon ECR uses the severity for a CVE from the upstream distribution source if
available, otherwise we use the Common Vulnerability Scoring System (CVSS) score.
The CVSS score can be used to obtain the NVD vulnerability severity rating. For more
information, see NVD
Vulnerability Severity Ratings
Any repositories not matching a scan on push filter will be set to the manual scan frequency which means to perform a scan, you must manually trigger the scan. The last completed image scan findings can be retrieved for each image. Amazon ECR sends an event to Amazon EventBridge (formerly called CloudWatch Events) when an image scan is completed. For more information, see Amazon ECR events and EventBridge.
Important
The new version of basic scanning is supported in the following regions:
-
Asia Pacific (Hong Kong) (
ap-east-1
) -
Europe (Stockholm) (
eu-north-1
) -
Middle East (Bahrain) (
me-south-1
) -
Asia Pacific (Mumbai) (
ap-south-1
) -
Europe (Paris) (
eu-west-3
) -
Amazon GovCloud (US-East) (
us-gov-east-1
) -
Africa (Cape Town) (
af-south-1
) -
Asia Pacific (Jakarta) (
ap-southeast-3
) -
Europe (Frankfurt) (
eu-central-1
) -
Europe (Ireland) (
eu-west-1
) -
South America (São Paulo) (
sa-east-1
) -
US East (Ohio) (
us-east-2
) -
Amazon GovCloud (US-West) (
us-gov-west-1
) -
Asia Pacific (Tokyo) (
ap-northeast-1
) -
Asia Pacific (Seoul) (
ap-northeast-2
) -
Asia Pacific (Osaka) (
ap-northeast-3
) -
Europe (Milan) (
eu-south-1
) -
Europe (London) (
eu-west-2
) -
US East (N. Virginia) (
us-east-1
) -
Asia Pacific (Singapore) (
ap-southeast-1
) -
Asia Pacific (Sydney) (
ap-southeast-2
) -
Canada (Central) (
ca-central-1
) -
US West (N. California) (
us-west-1
) -
US West (Oregon) (
us-west-2
) -
Europe (Zurich) (
eu-central-2
)
For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning issues.
As a security best practice and for continued coverage, we recommend that you continue to use supported versions of an operating system. In accordance with vendor policy, discontinued operating systems are no longer updated with patches and, in many cases, new security advisories are no longer released for them. In addition, some vendors remove existing security advisories and detections from their feeds when an affected operating system reaches the end of standard support. Once a distribution loses support from its vendor, Amazon ECR may no longer support scanning it for vulnerabilities. Any findings that Amazon ECR does generate for a discontinued operating system should be used for informational purposes only. Listed below are the current supported operating systems and versions.
Operating System | Version |
---|---|
Alpine Linux (Alpine) | 3.19 |
Alpine Linux (Alpine) | 3.18 |
Alpine Linux (Alpine) | 3.17 |
Alpine Linux (Alpine) | 3.16 |
Amazon Linux 2 (AL2) | AL2 |
Amazon Linux 2023(AL2023) | AL2023 |
CentOS Linux (CentOS) | 7 |
Debian Server (Bookworm) | 12 |
Debian Server (Bullseye) | 11 |
Debian Server (Buster) | 10 |
Oracle Linux (Oracle) | 9 |
Oracle Linux (Oracle) | 8 |
Oracle Linux (Oracle) | 7 |
Ubuntu (Lunar) | 23.04 |
Ubuntu (Jammy) | 22.04 (LTS) |
Ubuntu (Focal) | 20.024 (LTS) |
Ubuntu (Bionic) | 18.04 (ESM) |
Ubuntu (Xenial) | 16.04 (ESM) |
Ubuntu (Trusty) | 14.04 (ESM) |
Red Hat Enterprise Linux (RHEL) | 7 |
Red Hat Enterprise Linux (RHEL) | 8 |
Red Hat Enterprise Linux (RHEL) | 9 |
Using basic scanning
Manually scanning an image
You can start image scans manually when you want to scan images in repositories that aren't configured to scan on push. An image can only be scanned once each day. This limit includes the initial scan on push, if configured, and any manual scans.
For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning issues.
Retrieving image scan findings
You can retrieve the scan findings for the last completed image scan. The findings list by severity the software vulnerabilities that were discovered, based on the Common Vulnerabilities and Exposures (CVEs) database.
For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning issues.