[DEPRECATED] ECR repository has image scanning on push enabled
ecr_repositories_scan_images_on_push_enabled
[DEPRECATED]
Amazon ECR repositories are evaluated for image scanning on push; when configured, new image uploads automatically trigger a vulnerability scan (scan_on_push).
Risk
Without scan on push, images with known CVEs can enter registries and reach runtime unnoticed, undermining integrity and confidentiality through exploitable packages. Attackers may achieve code execution and lateral movement. Delayed detection increases operational risk and extends remediation timelines.
prowler aws --checks ecr_repositories_scan_images_on_push_enabled
Recommendation
Enable image scanning on push (scan_on_push) for all repositories and use findings as promotion gates. Prefer continuous/enhanced scanning for defense in depth, set severity thresholds, and block or quarantine noncompliant images. Integrate results with CI/CD and adopt shift-left vulnerability management.
Remediation
aws ecr put-image-scanning-configuration --repository-name <repo_name> --image-scanning-configuration scanOnPush=true
- Open the AWS Console and go to Amazon ECR
- Click Repositories and select the target repository
- Click Edit
- Enable the Scan on push toggle
- Click Save
Source Code
Resource Type
AwsEcrRepository