Unscanned ECR image

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Unscanned ECR image

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 9025b2b3-e554-4842-ba87-db7aeec36d35

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Observability

Learn More

Provider Reference

Description

ECR repositories should enable image scanning on push to detect known vulnerabilities before images are deployed. This reduces the risk of running vulnerable or compromised containers.

For AWS::ECR::Repository resources, Properties.ImageScanningConfiguration.ScanOnPush must be set to true. Resources missing ImageScanningConfiguration, or with ScanOnPush set to false, will be flagged.

To remediate, set ImageScanningConfiguration.ScanOnPush to true on the repository resource.

Secure configuration example:

MyEcrRepository:
  Type: AWS::ECR::Repository
  Properties:
    RepositoryName: my-repo
    ImageScanningConfiguration:
      ScanOnPush: true

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-11"
Resources:
  MyRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageScanningConfiguration:
        ScanOnPush: "true"

{
  "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z",
  "Resources": {
    "MyRepository2": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test-repository",
        "ImageScanningConfiguration": {
          "ScanOnPush": "true"
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-11"
Resources:
  MyRepository4:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageScanningConfiguration:
        ScanOnPush: "false"

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRepository5": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test-repository",
        "RepositoryPolicyText": {
          "Version": "2008-10-17",
          "Statement": [
            {
              "Sid": "AllowPushPull",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::123456789012:user/Bob",
                  "arn:aws:iam::123456789012:user/Alice"
                ]
              },
              "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
              ]
            }
          ]
        }
      }
    }
  }
}

{
  "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z",
  "Resources": {
    "MyRepository6": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test-repository",
        "ImageScanningConfiguration": {
          "ScanOnPush": "false"
        }
      }
    }
  }
}