v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 ECR private repositories should have image scanning configured

Description

This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured.

ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.

Remediation

To configure image scanning for an ECR repository, see Image scanning in the Amazon Elastic Container Registry User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ecr_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ecr_1 --share

SQL

This control uses a named query:

ecr_repository_image_scan_on_push_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = vulnerability_patch_and_version_management
foundational_security_item_id = ecr_1
plugin = aws
service = AWS/ECR