Control: ECR repositories should have image scan on push enabled
Description
Ensure AWS Elastic Container Registry (ECR) repositories have image scanning enabled. The rule is non-compliant if image scanning is not enabled for the ECR repository.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.ecr_repository_image_scan_on_push_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.ecr_repository_image_scan_on_push_enabled --shareSQL
This control uses a named query:
with check_enhanced_scanning as ( select registry_id, region from aws_ecr_registry_scanning_configuration, jsonb_array_elements(scanning_configuration -> 'Rules') as r where r ->> 'ScanFrequency' = 'CONTINUOUS_SCAN' or r ->> 'ScanFrequency' = 'SCAN_ON_PUSH')select arn as resource, case when image_scanning_configuration ->> 'ScanOnPush' = 'true' or s.registry_id is not null then 'ok' else 'alarm' end as status, case when image_scanning_configuration ->> 'ScanOnPush' = 'true' or s.registry_id is not null then title || ' scan on push enabled.' else title || ' scan on push disabled.' end as reason , r.region, r.account_idfrom aws_ecr_repository as r left join check_enhanced_scanning as s on s.registry_id = r.account_id and s.region = r.region;