--- title: Unscanned ECR image description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Unscanned ECR image --- # Unscanned ECR image {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `9630336b-3fed-4096-8173-b9afdfe346a7` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#scan_on_push) ### Description{% #description %} This check verifies whether Amazon Elastic Container Registry (ECR) repositories are configured to scan container images on push by setting the `scan_on_push` attribute to `true` in the `image_scanning_configuration` block. Without image scanning enabled, as in `image_scanning_configuration { scan_on_push = false }`, malicious or vulnerable software can be uploaded and distributed without detection, increasing the risk of security breaches. Enabling image scanning ensures that newly pushed images are automatically checked for vulnerabilities, helping to prevent the deployment of insecure containers. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_ecr_repository" "negative1" { name = "bar" image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_ecr_repository" "positive1" { name = "img_p_2" image_tag_mutability = "MUTABLE" } resource "aws_ecr_repository" "positive2" { name = "img_p_1" image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = false } } ```