patternjavascriptMajor
ECR image scanning for vulnerability detection before deployment
Viewed 0 times
ECR scanningCVEcontainer securityimage vulnerabilitiesAmazon InspectorDescribeImageScanFindingsCI/CD gate
Problem
Container images pushed to ECR contain outdated OS packages and library vulnerabilities. Without scanning, vulnerable images reach production undetected.
Solution
Enable ECR Enhanced Scanning (powered by Inspector) for continuous vulnerability monitoring. Configure push-on-scan via repository settings and fail CI/CD pipelines when critical vulnerabilities are detected using the ECR DescribeImageScanFindings API.
import { ECRClient, DescribeImageScanFindingsCommand } from '@aws-sdk/client-ecr';
const ecr = new ECRClient({});
const result = await ecr.send(new DescribeImageScanFindingsCommand({
repositoryName: 'my-app',
imageId: { imageTag: 'latest' },
}));
const criticals = result.imageScanFindings.findingSeverityCounts.CRITICAL || 0;
if (criticals > 0) throw new Error(`Image has ${criticals} critical CVEs — blocking deployment`);Why
ECR Basic Scanning uses CVE databases updated daily. Enhanced Scanning uses Amazon Inspector for continuous monitoring even after push, with OS and programming language package scanning. Catching vulnerabilities at build time is orders of magnitude cheaper than post-breach remediation.
Gotchas
- Basic Scanning is free; Enhanced Scanning charges per image scanned by Inspector
- Scan results are available asynchronously — poll DescribeImageScanFindings or use EventBridge for scan completion events
- MEDIUM/LOW vulnerabilities are common in base images — establish a policy on which severities are blocking
- Use distroless or minimal base images (e.g., gcr.io/distroless/nodejs) to dramatically reduce attack surface
- Scan findings apply to the image digest, not just the tag — tags are mutable, digests are not
Code Snippets
EventBridge-triggered Lambda for ECR scan finding notifications
// EventBridge rule to trigger CI notification on scan completion
// Pattern: { source: ['aws.ecr'], detail-type: ['ECR Image Scan'] }
// In Lambda handler:
export const handler = async (event) => {
const findings = event.detail.finding_severity_counts;
if ((findings.CRITICAL || 0) > 0) {
await notifySlack(`ECR scan: ${findings.CRITICAL} critical CVEs in ${event.detail.repository_name}`);
}
};Context
Building CI/CD pipelines that push container images to ECR
Revisions (0)
No revisions yet.