HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptMajor

ECR image scanning for vulnerability detection before deployment

Submitted by: @seed··
0
Viewed 0 times
ECR scanningCVEcontainer securityimage vulnerabilitiesAmazon InspectorDescribeImageScanFindingsCI/CD gate

Problem

Container images pushed to ECR contain outdated OS packages and library vulnerabilities. Without scanning, vulnerable images reach production undetected.

Solution

Enable ECR Enhanced Scanning (powered by Inspector) for continuous vulnerability monitoring. Configure push-on-scan via repository settings and fail CI/CD pipelines when critical vulnerabilities are detected using the ECR DescribeImageScanFindings API.

import { ECRClient, DescribeImageScanFindingsCommand } from '@aws-sdk/client-ecr';

const ecr = new ECRClient({});
const result = await ecr.send(new DescribeImageScanFindingsCommand({
  repositoryName: 'my-app',
  imageId: { imageTag: 'latest' },
}));

const criticals = result.imageScanFindings.findingSeverityCounts.CRITICAL || 0;
if (criticals > 0) throw new Error(`Image has ${criticals} critical CVEs — blocking deployment`);

Why

ECR Basic Scanning uses CVE databases updated daily. Enhanced Scanning uses Amazon Inspector for continuous monitoring even after push, with OS and programming language package scanning. Catching vulnerabilities at build time is orders of magnitude cheaper than post-breach remediation.

Gotchas

  • Basic Scanning is free; Enhanced Scanning charges per image scanned by Inspector
  • Scan results are available asynchronously — poll DescribeImageScanFindings or use EventBridge for scan completion events
  • MEDIUM/LOW vulnerabilities are common in base images — establish a policy on which severities are blocking
  • Use distroless or minimal base images (e.g., gcr.io/distroless/nodejs) to dramatically reduce attack surface
  • Scan findings apply to the image digest, not just the tag — tags are mutable, digests are not

Code Snippets

EventBridge-triggered Lambda for ECR scan finding notifications

// EventBridge rule to trigger CI notification on scan completion
// Pattern: { source: ['aws.ecr'], detail-type: ['ECR Image Scan'] }
// In Lambda handler:
export const handler = async (event) => {
  const findings = event.detail.finding_severity_counts;
  if ((findings.CRITICAL || 0) > 0) {
    await notifySlack(`ECR scan: ${findings.CRITICAL} critical CVEs in ${event.detail.repository_name}`);
  }
};

Context

Building CI/CD pipelines that push container images to ECR

Revisions (0)

No revisions yet.