Check provider logo

[DEPRECATED] Check if ECR image scan on push is enabled

ecr_repositories_scan_images_on_push_enabled

Severitymedium
Serviceecr
by Prowler

[DEPRECATED] Check if ECR image scan on push is enabled

Risk

Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. Amazon ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings.

Run this check with Prowler CLI

prowler aws --checks ecr_repositories_scan_images_on_push_enabled

Run in Prowler Cloud

ARN template

arn:partition:service:region:account-id:resource-id

Remediation

CLI

aws ecr create-repository --repository-name <repo_name> --image-scanning-configuration scanOnPush=true--region <region_name>

Native IAC

https://docs.prowler.com/checks/aws/general-policies/general_8#cli-command

Terraform

https://docs.prowler.com/checks/aws/general-policies/general_8#fix---buildtime

WUI

Enable ECR image scanning and review the scan findings for information about the security of the container images that are being deployed.

References:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html

Source Code

Resource Type

AwsEcrRepository