Image scanning - Amazon ECR
Using filters
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Image scanning

The improved basic scanning feature is in preview release for Amazon ECR and is subject to change. During this public preview, you can only use the Amazon Web Services Management Console to opt-in for the Improved basic scanning version.

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. The following scanning types are offered.

Important

Switching between the Enhanced scanning, Basic scanning, and the Improved basic scanning versions will cause previously established scans to no longer be available. You will have to set up your scans again. However, if you switch back to your previous scanning version the established scans will be available.

  • Enhanced scanning—Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you. Enhanced scanning provides the following:

    • OS and programming languages package vulnerabilities.

    • Two scanning frequencies: Scan on push and continuous scan.

  • Basic scanning—Amazon ECR provides two versions of basic scanning which use the Common Vulnerabilities and Exposures (CVEs) database; the current GA version that uses the open-source Clair project and a newly improved version of basic scanning (in preview) that uses our Amazon native technology. With basic scanning, you configure your repositories to scan on push or you can perform manual scans and Amazon ECR provides a list of scan findings. Basic scanning provides the following:

    • OS scans.

    • Two scanning frequencies: Manual and scan on push.

      Important

      The new version of basic scanning does not support imageScanFindingsSummary and imageScanStatus in the DescribeImages API. To view these, use the DescribeImageScanFindings API.

Using filters

When an image scanning is configured for your private registry, you may specify that all repositories be scanned or you can specify filters to scope which repositories are scanned.

When basic scanning is used, you may specify scan on push filters to specify which repositories are set to do an image scan when new images are pushed. Any repositories not matching a basic scanning scan on push filter will be set to the manual scan frequency which means to perform a scan, you must manually trigger the scan.

When enhanced scanning is used, you may specify separate filters for scan on push and continuous scanning. Any repositories not matching an enhanced scanning filter will have scanning disabled. If you are using enhanced scanning and specify separate filters for scan on push and continuous scanning where multiple filters match the same repository, then Amazon ECR enforces the continuous scanning filter over the scan on push filter for that repository.

When a filter is specified, a filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. The following table provides examples where repository names are expressed on the horizontal axis and example filters are specified on the vertical axis.

prod

repo-prod

prod-repo

repo-prod-repo

prodrepo

prod

 Yes Yes Yes Yes Yes

*prod

 Yes Yes No No No

prod*

 Yes No Yes No Yes

*prod*

 Yes Yes Yes Yes Yes

prod*repo

 No No Yes No Yes
Topics