Amazon Elastic Container Registry (ECR) service provides fully-managed Docker container registry service to store, manage and deploy Docker container images on the AWS Platform. You can store with versioning and it is integrated with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) for you to deploy registered containers automatically.
Amazon ECR stores container images on Amazon S3, so it inherits all reliability and durability features that Amazon S3 provides.
Without paying anything extra or deploying a third-party scanning tool, you can use Amazon ECR image scanning to scan your Docker container images against Common Vulnerabilities and Exposures (CVEs). Amazon ECR uses the CVE database from the open-source CoreOS Clair project and provides you with a list of scan findings and scores vulnerabilities. Amazon ECR supports static container image scanning for major versions of Amazon Linux, Amazon Linux 2, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL Linux distributions.
You can either manually trigger the scanning of images that are stored on Amazon ECR or you can configure your container repository to scan images when you push them to the repository.
aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2
aws ecr put-image-scanning-configuration --repository-name name --image-scanning-configuration scanOnPush=true --region us-east-2
You can access scan results and findings from Amazon Management Console or you can retrieve image scan findings via AWS CLI.
You can integrate Amazon ECR with Amazon EventBridge to take auto-actions after the scanning is completed. Amazon EventBridge integration allows you to take auto-remediation actions or send notifications and alerts to users.
If you have any obligation to store the previous scan results, you can use the following AWS Cloudformation script to store finding results on a S3 bucket automatically after every scan.
Cloudformation script is deploying four components: ECR Repository, EventBridge, Lambda function and S3 bucket.
This cloudformation template creates ECR Repository, EventBridge, Lambda function and S3 bucket to save ECR image scan results to S3 Bucket.github.com/sufleio/ecr-scan-saver
You can get more information about Amazon ECR Container Image Scanning from following links:
Once a software developer now an AWS Certified Solutions Architect Professional, Gizem is always eager to take on professional challenges. Her meticulousness at her workings follows her passion for learning and sharing her knowledge with tech-savvy professionals and communities.
Cookies are small files that are sent to and stored in your computer by the websites you visit. Next time you visit the site, your browser will read the cookie and relay the information back to the website or element that originally set the cookie.
Cookies allow us to recognize you automatically whenever you visit our site so that we can personalize your experience and provide you with better service.