ECR image scan on push is not enabled
Description
Amazon ECR is a fully managed container registry used to store, manage and deploy container images. ECR Image Scanning assesses and identifies operating system vulnerabilities. Using automated image scans you can ensure container image vulnerabilities are found before getting pushed to production. ECR APIs notify if vulnerabilities were found when a scan completes.
Code Example
shell
{
"aws ecr create-repository
--repository-name name
--image-scanning-configuration scanOnPush=true
--region us-east-2",
}Remediation
- AWS Console*
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the * https://console.aws.amazon.com/ecr/repositories [Amazon ECR console]*.
. Select a repository using the radio button.
. Click * Edit*.
. Enable the * Scan on push* toggle.
- CLI Command*
To create a repository configured for * scan on push*:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0212 |
| Severity | HIGH |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_163 |