ECR image scanning should be enabled

• GG_ID: GG_IAC_0039
• Severity: HIGH
• Complexity: LOW
• Categories: SECRET
• Providers: AWS
• Potential data exposure: False
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

Amazon ECR provides the repository that stores all the code that has been packaged as a Docker image in order to deploy application images and artifacts. Image scanning should be enabled with the scan_on_push parameter to automatically identify vulnerabilities within the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. It can be checked within the container images each time a new version of an image is pushed.

Impact

Vulnerabilities within images would not be identified for remediation.

Remediation guidelines

Enable ECR image scanning with scan_on_push parameter.

External documentation

• ECR image scanning
• Clair project for vulnerabilities detection