lacework-global-805
Elastic Container Registry (ECR) private repositories should have image scanning configured (Automated)
Description
This control checks whether a private Amazon ECR repository has image scanning configured. The control fails if the private ECR repository is not configured for scan on push or continuous scanning.
ECR image scanning helps in identifying software vulnerabilities in the container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open source Clair project: https://github.com/quay/clair and provides a list of scan findings.
Configuring image scanning on ECR repositories adds a layer of verification for the integrity and safety of the stored images.
Remediation
From the AWS console:
- Log in to the AWS Management Console.
- Click Services.
- Select Containers > Elastic Container Registry.
- Click the name of the repository without image scanning configured.
- Click the Edit button.
- Under the Image scan settings heading, set the Scan on push radio button to Enabled.
- Click Save.
From CLI:
For each repository in violation, run the following command:
aws ecr put-image-scanning-configuration --repository-name <repo_name> --image-scanning-configuration scanOnPush=true
References
https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html#ecr-1
https://github.com/quay/clair
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html#image-scanning-basic-enabling
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/put-image-scanning-configuration.html