Scan your Docker images for vulnerabilities with ECR

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

To forward findings to other systems (e.g., Slack, Microsoft Teams), you have to:

1. Enable Scan on push for your ECR repository.
2. Create a EventBridge (previously CloudWatch Events) Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Create an EventBridge Rule

Monitoring Assistant
Are you in a hurry? Ask marbot to do it for you!

1. Add marbot to Slack or Microsoft Teams.
2. Invite marbot to a channel.
3. Follow the setup wizard.

It couldn't be easier!

1. Visit the EventBridge Console.
2. Navigate to Events -> Rules.
3. Create a new rule.
   
4. Select Event pattern

5. Select Custom pattern and enter the following pattern:

   { "source": [ "aws.ecr" ], "detail-type": [ "ECR Image Scan" ], "detail": { "scan-status": ["COMPLETE"], "finding-severity-counts": { "$or": [ {"CRITICAL": [{"numeric": [">", 0]}]}, {"HIGH": [{"numeric": [">", 0]}]}, {"MEDIUM": [{"numeric": [">", 0]}]}, {"UNDEFINED": [{"numeric": [">", 0]}]} ] } } }

6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Take your AWS monitoring to a new level! Chatbot for AWS Monitoring: Configure monitoring, escalate alerts, solve incidents.

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building marbot.io. Author of Amazon Web Services in Action, Rapid Docker on AWS, and cloudonaut.io.

You can contact me via Email, Twitter, and LinkedIn.

Published on 28 Jan 2020 and updated on 21 Feb 2023.