Enable image scanning at ECR repository level
One of the features offered by the ECR repository is image scanning.
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.Image scanning
This time, we will enable image scanning at the ECR repository level.
Please note that this procedure is now deprecated.
For information on how to enable scanning on push in the recommended manner, please see below.
Create an ECR.
Enable scanning on image push at the repository level.
CloudFormation template files
Build the above configuration with CloudFormation.
The CloudFormation templates are located at the following URL
Explanation of key points of the template files
This page focuses on how to enable scanning on push at the repository level.
For information on how to use CloudFormation custom resources to automatically delete images in the ECR repository when deleting the CloudFormation stack, please see the following page
Resources: ECRRepository: Type: AWS::ECR::Repository Properties: ImageScanningConfiguration: ScanOnPush: true RepositoryName: !Ref PrefixCode language: YAML (yaml)
ImageScanningConfiguration property is used to configure settings related to image scanning.
This feature can be enabled by setting “true” to the ScanOnPush property.
FROM amazonlinuxCode language: Dockerfile (dockerfile)
Create your own image based on Amazon Linux 2.
Use CloudFormation to build this environment and check the actual behavior.
Create CloudFormation stacks and check resources in stack
Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page
After checking the resources in each stack, information on the main resources created this time is as follows
- ECR repository: fa-082
Check the created resources from the AWS Management Console.
Check the ECR repository.
Under Scan frequency, you will see “Scan on push”.
This indicates that this feature is enabled.
Check the details of the image scanning functionality in this repository.
Here, too, we can see that scanning is enabled on push.
On the other hand, the warnings indicate that it is deprecated to enable this feature on a per-repository basis.
Now that we are ready, we push the image to this repository.
To push, execute the following command
After pushing the image, check the repository again.
The Scan status item is “Complete”.
This indicates that the scan was performed automatically when the image was pushed.
Check the “details” under Vulnerabilities.
The detected vulnerabilities are displayed with their severity.
Thus, we have confirmed that by enabling scan on push at the ECR repository level, images can be scanned automatically.
We have confirmed how to enable scan on push at the ECR repository level and its effectiveness.