For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-unscanned-ecr-image.md. A documentation index is available at /llms.txt.

Unscanned ECR image

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-unscanned-ecr-image

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Observability

Learn More

Description

ECR repositories should enable image scanning on push to detect known vulnerabilities before images are deployed. This reduces the risk of running vulnerable or compromised containers.

For AWS::ECR::Repository resources, Properties.ImageScanningConfiguration.ScanOnPush must be set to true. Resources missing ImageScanningConfiguration, or with ScanOnPush set to false, will be flagged.

To remediate, set ImageScanningConfiguration.ScanOnPush to true on the repository resource.

Secure configuration example:

MyEcrRepository:
  Type: AWS::ECR::Repository
  Properties:
    RepositoryName: my-repo
    ImageScanningConfiguration:
      ScanOnPush: true

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-11"
Resources:
  MyRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageScanningConfiguration:
        ScanOnPush: "true"

{
  "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z",
  "Resources": {
    "MyRepository2": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test-repository",
        "ImageScanningConfiguration": {
          "ScanOnPush": "true"
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-11"
Resources:
  MyRepository3:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          -
            Sid: AllowPushPull
            Effect: Allow
            Principal:
              AWS:
                - "arn:aws:iam::123456789012:user/Bob"
                - "arn:aws:iam::123456789012:user/Alice"
            Action:
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:PutImage"
              - "ecr:InitiateLayerUpload"
              - "ecr:UploadLayerPart"
              - "ecr:CompleteLayerUpload"

AWSTemplateFormatVersion: "2010-09-11"
Resources:
  MyRepository4:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageScanningConfiguration:
        ScanOnPush: "false"

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRepository5": {
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "test-repository",
        "RepositoryPolicyText": {
          "Version": "2008-10-17",
          "Statement": [
            {
              "Sid": "AllowPushPull",
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::123456789012:user/Bob",
                  "arn:aws:iam::123456789012:user/Alice"
                ]
              },
              "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
              ]
            }
          ]
        }
      }
    }
  }
}