Detections
Analytics

Ensure scan on push is enabled on Amazon Elastic Container Registry (Amazon ECR) repository

MEDIUM

Description

Amazon Elastic Container Registry (Amazon ECR) repositories can be configured to scan images when they are pushed to the repository. This helps identify vulnerabilities that may be within the images before they are used to create containers in a container environment. For more information, see the AWS ECR documentation.
References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the Amazon ECR console.
  2. From the navigation bar, select the Region to create your repository in.
  3. In the navigation pane, select Repositories.
  4. On the Repositories page, select the repository that contains the image to scan.
  5. On the Images page, select the image to scan and then select Scan.

In Terraform -

  1. In the aws_ecr_repository resource, set 'image_scanning_configuration.scan_on_push' to 'true'.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_repository

Policy Details

Rule Reference ID: AC_AWS_0083
CSP: AWS
Remediation Available: Yes
Domain: Configuration and Vulnerability Analysis
Resource: aws_ecr_repository
Resource Category: Compute
Resource Type: Elastic Container Registry (ECR)

Frameworks