HIGH
Source
Trivy
ID
AVD-AWS-0030

ECR repository has image scans disabled.

Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

Impact

The ability to scan images is not being used and vulnerabilities will not be highlighted

Follow the appropriate remediation steps below to resolve the issue.

Enable ECR image scanning

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageTagImmutability: IMMUTABLE
      ImageScanningConfiguration:
        ScanOnPush: true
      EncryptionConfiguration:
        EncryptionType: KMS
        KmsKey: "alias/ecr-key"

Enable ECR image scanning

1
2
3
4
5
6
7
8
resource "aws_ecr_repository" "good_example" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"
  
  image_scanning_configuration {
    scan_on_push = true
  }
}