Unscanned ECR image

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 9630336b-3fed-4096-8173-b9afdfe346a7

Cloud Provider: aws

Framework: Terraform

Severity: Low

Category: Observability

Learn More

Description

This check verifies whether Amazon Elastic Container Registry (ECR) repositories are configured to scan container images on push by setting the scan_on_push attribute to true in the image_scanning_configuration block. Without image scanning enabled, as in image_scanning_configuration { scan_on_push = false }, malicious or vulnerable software can be uploaded and distributed without detection, increasing the risk of security breaches. Enabling image scanning ensures that newly pushed images are automatically checked for vulnerabilities, helping to prevent the deployment of insecure containers.

Compliant Code Examples

resource "aws_ecr_repository" "negative1" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

Non-Compliant Code Examples

resource "aws_ecr_repository" "positive1" {
  name                 = "img_p_2"
  image_tag_mutability = "MUTABLE"
}

resource "aws_ecr_repository" "positive2" {
  name                 = "img_p_1"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = false
  }
}