Ensure that all your Amazon ECR container images are automatically scanned for security vulnerabilities and expenses after being pushed to a repository. Scan on Push for Amazon ECR is an automated vulnerability assessment feature that helps you improve the security of your ECR container images by scanning them for a broad range of Operating System (OS) vulnerabilities after being pushed to an ECR repository. The security feature uses the Common Vulnerabilities and Exposures (CVEs) database from Clair, an open source project designed for static analysis of security issues in appc and docker containers.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
For the security and compliance status of your applications it is crucial to detect and respond to Amazon ECR container image vulnerabilities in the early stages of deployment. When Scan on Push security feature is enabled, your container images are automatically scanned after being pushed to your Amazon ECR repository. If Scan on Push is disabled on your repository, then each image scan must be manually started to get scan results.
To determine if Scan on Push feature is enabled for your Amazon ECR image repositories, perform the following operations:
Remediation / Resolution
Amazon ECR Scan on Push helps you identify software vulnerabilities within your container images by checking each image against an aggregated set of Common Vulnerabilities and Exposures (CVEs). To configure each Amazon ECR repository to automatically scan your container images for security vulnerabilities when you push them to the repository, perform the following operations:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Scan on Push for ECR Container Images
Risk level: Medium