Control: 1 ECR private repositories should have image scanning configured
Description
This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured.
ECR image scanning helps in identifying software vulnerabilities in your container images. ECR uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project and provides a list of scan findings. Enabling image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored.
Remediation
To configure image scanning for an ECR repository, see Image scanning in the Amazon Elastic Container Registry User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ecr_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ecr_1 --shareSQL
This control uses a named query:
with check_enhanced_scanning as ( select registry_id, region from aws_ecr_registry_scanning_configuration, jsonb_array_elements(scanning_configuration -> 'Rules') as r where r ->> 'ScanFrequency' = 'CONTINUOUS_SCAN' or r ->> 'ScanFrequency' = 'SCAN_ON_PUSH')select arn as resource, case when image_scanning_configuration ->> 'ScanOnPush' = 'true' or s.registry_id is not null then 'ok' else 'alarm' end as status, case when image_scanning_configuration ->> 'ScanOnPush' = 'true' or s.registry_id is not null then title || ' scan on push enabled.' else title || ' scan on push disabled.' end as reason , r.region, r.account_idfrom aws_ecr_repository as r left join check_enhanced_scanning as s on s.registry_id = r.account_id and s.region = r.region;