ECR image scan on push is disabled

ecr_image_scan_disabled

Severity

critical

Vendor

AWS

Resource

ECR

Description

Amazon ECR is a fully managed container registry used to store, manage and deploy container images.

Amazon ECR enhanced scanning is an integration with Amazon Inspector which provides vulnerability scanning for your container images. Your container images are scanned for both operating systems and programing language package vulnerabilities, before getting pushed to production. ECR APIs notify if vulnerabilities were found when a scan completes.

For more details, read ECR Image Scanning.

This detector reports ECR repositories (aws_ecr_repository) without scan_on_push set to true.

Examples

CloudFormation

{
  "Resources": {
    "ImageScanFalse": { (1)
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test"
      }
    },
  }
}

1	No `ImageScanningConfiguration` block with `ScanOnPush` set to true.

Resources:
  ImageScanFalse: (1)
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test"

1	No `ImageScanningConfiguration` block with `ScanOnPush` set to true.

Terraform

resource "aws_ecr_repository" "my_repo" { (1)
  name = "my_repo"
  image_tag_mutability = "MUTABLE"

  # ...
}

1	No `image_scanning_configuration` block with `scan_on_push` set to true.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "ImageScanFalse": { (1)
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test",
        "ImageScanningConfiguration": {
          "ScanOnPush": true
        }
      }
    }
  }
}

1	Add `ScanOnPush: true` to enable scan on push.

Resources:
  ImageScanFalse: (1)
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test"
      ImageScanningConfiguration:
        ScanOnPush: true

1	Add `ScanOnPush: true` to enable scan on push.

Terraform

To enable image scanning when images are pushed to the registry:

resource "aws_ecr_repository" "my_repo" {
  name = "my_repo"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true // FIXED
  }
  // ...
}

Runtime

CLI Command

When an image repository is created using the aws command, the scanOnPush could be enabled:

aws ecr create-repository \
  --repository-name my_repo
  --image-scanning-configuration scanOnPush=true \
  # ...