Skip to main content

ECR image scanning should be enabled

  • GG_ID: GG_IAC_0039
  • Severity: HIGH
  • Complexity: LOW
  • Categories: SECRET
  • Providers: AWS
  • Potential data exposure: False
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: False


Amazon ECR provides the repository that stores all the code that has been packaged as a Docker image in order to deploy application images and artifacts. Image scanning should be enabled with the scan_on_push parameter to automatically identify vulnerabilities within the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. It can be checked within the container images each time a new version of an image is pushed.


Vulnerabilities within images would not be identified for remediation.

Remediation guidelines#

Enable ECR image scanning with scan_on_push parameter.

External documentation#