Enable ECR Image Scan on Push

Violation ID: BC_AWS_GENERAL_8

Ensure ECR Image Scanning On-push is Enabled

Description

Amazon ECR is a fully managed container registry used to store, manage and deploy container images. ECR Image Scanning assesses and identifies operating system vulnerabilities.

Rationale

Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production. ECR APIs notify if vulnerabilities were found when a scan completes.

Automated Remediation

Runtime Resource

n/a

Buildtime Resource

Terraform

Resource: aws_ecr_repository
Argument: scan_on_push - (Required) Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false).

resource "aws_ecr_repository" "foo" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
+    scan_on_push = true
  }
}

Manual Remediation

Runtime Resource

Procedure

To change the policy using the AWS Console, follow these steps:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the ECR console.
  3. Select a repository using the radio button.
  4. Click the Edit button.
  5. Enable the Scan on push toggle.

CLI Command

To create a repository configured for scan on push:

aws ecr create-repository --repository-name name --image-scanning-configuration scanOnPush=true --region us-east-2

Updated 4 months ago


Enable ECR Image Scan on Push


Violation ID: BC_AWS_GENERAL_8

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.