Ensure ECR image scan on push is enabled

Error: ECR image scan on push is not enabled

Bridgecrew Policy ID: BC_AWS_GENERAL_8
Checkov Check ID: CKV_AWS_33
Severity: HIGH

ECR image scan on push is not enabled

Description

Amazon ECR is a fully managed container registry used to store, manage and deploy container images. ECR Image Scanning assesses and identifies operating system vulnerabilities. Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production. ECR APIs notify if vulnerabilities were found when a scan completes.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon ECR console.
  3. Select a repository using the radio button.
  4. Click Edit.
  5. Enable the Scan on push toggle.

CLI Command

To create a repository configured for scan on push:

aws ecr create-repository
--repository-name name
--image-scanning-configuration scanOnPush=true
--region us-east-2

Fix - Buildtime

Terraform

  • Resource: aws_ecr_repository
  • Argument: scan_on_push - (Required) Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false).
resource "aws_ecr_repository" "example" {
  ...
  image_tag_mutability = "MUTABLE"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
  ...
}

CloudFormation

  • Resource: AWS::ECR::Repository
  • Argument: Properties.ImageScanningConfiguration.ScanOnPush - (Required) Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false).
Resources:
  ImageScanTrue:
    Type: AWS::ECR::Repository
    Properties: 
      ...
+     ImageScanningConfiguration:
+       ScanOnPush: true