Scan images for OS and programming language package vulnerabilities in Amazon ECR - Amazon ECR
Considerations for enhanced scanning
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Scan images for OS and programming language package vulnerabilities in Amazon ECR

Amazon ECR enhanced scanning is an integration with Amazon Inspector which provides vulnerability scanning for your container images. Your container images are scanned for both operating systems and programming language package vulnerabilities. You can view the scan findings with both Amazon ECR and with Amazon Inspector directly. For more information about Amazon Inspector, see Scanning container images with Amazon Inspector in the Amazon Inspector User Guide.

With enhanced scanning, you can choose which repositories are configured for automatic, continuous scanning and which are configured for scan on push. This is done by setting scan filters.

Considerations for enhanced scanning

Consider the following before enabling Amazon ECR enhanced scanning.

  • There is no additional cost from Amazon ECR to use this feature, however there is a cost from Amazon Inspector to scan your images. For more information, see Amazon Inspector pricing.

  • Enhanced scanning isn't supported in the following Regions:

    • Middle East (UAE) (me-central-1)

    • Asia Pacific (Hyderabad) (ap-south-2)

    • Israel (Tel Aviv) (il-central-1)

    • Asia Pacific (Melbourne) (ap-southeast-4)

    • Europe (Spain) (eu-south-2)

  • Amazon Inspector supports scanning for specific operating systems. For a full list, see Supported operating systems - Amazon ECR scanning in the Amazon Inspector User Guide.

  • Amazon Inspector uses a service-linked IAM role, which provides the permissions needed to provide enhanced scanning for your repositories. The service-linked IAM role is created automatically by Amazon Inspector when enhanced scanning is turned on for your private registry. For more information, see Using service-linked roles for Amazon Inspector in the Amazon Inspector User Guide.

  • When you initially turn on enhanced scanning for your private registry, Amazon Inspector only recognizes images pushed to Amazon ECR in the last 30 days, based on the image push timestamp, or pulled in the last 90 days. Older images will have the SCAN_ELIGIBILITY_EXPIRED scan status. If you'd like these images to be scanned by Amazon Inspector you should push them again to your repository.

  • All images pushed to Amazon ECR after enhanced scanning is turned on are continually scanned for the configured duration. By default, the duration is Lifetime. This setting can be configured using the Amazon Inspector console. For more information, see Changing the enhanced scanning duration for images in Amazon Inspector.

  • When enhanced scanning is turned on for your Amazon ECR private registry, repositories matching the scan filters are scanned using enhanced scanning only. Any repositories that don't match a filter will have an Off scan frequency and won't be scanned. Manual scans using enhanced scanning aren't supported. For more information, see Filters to choose which repositories are scanned in Amazon ECR.

  • If you specify separate filters for scan on push and continuous scanning where multiple filters match the same repository, then Amazon ECR enforces the continuous scanning filter over the scan on push filter for that repository.

  • When enhanced scanning is turned on, Amazon ECR sends an event to EventBridge when the scan frequency for a repository is changed. Amazon Inspector emits events to EventBridge when an initial scan is completed and when an image scan finding is created, updated, or closed.