How to monitor ECR Image Scanning

Michael Wittig – 28 Jan 2020

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

How to monitor ECR Image Scanning

To forward findings to other systems (e.g., Slack), you have to:

  1. Enable Scan on push for your ECR repository.
  2. Create a CloudWatch Events Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Enable Scan on push

Create a CloudWatch Events Rule

  1. Visit the CloudWatch Console.
  2. Navigate to Events -> Rules.
  3. Create a new rule.
    Create a CloudWatch Events Rule
  4. Set Service Name to Elastic Container Registry (ECR).
  5. Set Event Type to ECR Image Scan.
    Which results in the following Event Pattern:

    "detail-type": [
    "ECR Image Scan"
    "source": [

    Unfortunately, you can not filter scan results according to the finding severities.

  6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Do you want to receive scan results via Slack? Add marbot to your Slack workspace and deploy our AWS basics Monitoring Jump Start.

Michael Wittig

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building Author of Amazon Web Services in Action, Rapid Docker on AWS, and

You can contact me via Email, Twitter, and LinkedIn.

Published on

marbot teaser

Chatbot for AWS Monitoring

Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.

Add to Slack
Microsoft Teams
Add to Teams