Scan your Docker images for vulnerabilities with ECR

Michael Wittig – 28 Jan 2020 (updated 21 Feb 2023)

Amazon ECR image scanning helps in identifying software vulnerabilities in your Docker images.

How to monitor ECR Image Scanning

To forward findings to other systems (e.g., Slack, Microsoft Teams), you have to:

  1. Enable Scan on push for your ECR repository.
  2. Create a EventBridge (previously CloudWatch Events) Rule to subscribe to the findings.

Enable Scan on push

To enable Scan on push, flip the switch when creating or updating an ECR repository.

Enable Scan on push

Create an EventBridge Rule

Monitoring Assistant
Are you in a hurry? Ask marbot to do it for you!

  1. Add marbot to Slack or Microsoft Teams.
  2. Invite marbot to a channel.
  3. Follow the setup wizard.
It couldn't be easier!
  1. Visit the EventBridge Console.
  2. Navigate to Events -> Rules.
  3. Create a new rule.
    Create a EventBridge Rule
  4. Select Event pattern
  5. Select Custom pattern and enter the following pattern:

    "source": [
    "detail-type": [
    "ECR Image Scan"
    "detail": {
    "scan-status": ["COMPLETE"],
    "finding-severity-counts": {
    "$or": [
    {"CRITICAL": [{"numeric": [">", 0]}]},
    {"HIGH": [{"numeric": [">", 0]}]},
    {"MEDIUM": [{"numeric": [">", 0]}]},
    {"UNDEFINED": [{"numeric": [">", 0]}]}
  6. Last but not least, configure the target (e.g., SNS topic). From the SNS topic, you can then distribute to other systems.

Michael Wittig

Michael Wittig

Consultant focusing on Amazon Web Services (AWS). Entrepreneur building Author of Amazon Web Services in Action, Rapid Docker on AWS, and

You can contact me via Email, Twitter, and LinkedIn.

Published on and updated on

marbot teaser

Chatbot for AWS Monitoring

Configure monitoring for Amazon Web Services: CloudWatch, EC2, RDS, EB, Lambda, and more. Receive and manage alerts via Slack. Solve incidents as a team.

Add to Slack
Microsoft Teams
Add to Teams