Configuring enhanced scanning for images in Amazon ECR

Configure enhanced scanning per Region for your private registry.

Verify that you have the proper IAM permissions to configure enhanced scanning. For information, see IAM permissions required for enhanced scanning in Amazon ECR.

AWS Management Console

To turn on enhanced scanning for your private registry

Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
From the navigation bar, choose the Region to set the scanning configuration for.
In the navigation pane, choose Private registry, and then choose Settings.
On the Scanning configuration page, for Scan type choose Enhanced scanning.

By default, when Enhanced scanning is selected, all of your repositories are continuously scanned.
To choose specific repositories to continuously scan, clear the Continuously scan all repositories box, and then define your filters:

Important
Filters with no wildcard will match all repository names that contain the filter. Filters with wildcards (*) match on a repository name where the wildcard replaces zero or more characters in the repository name. To see examples of how filters behave, see Filter wildcards.
1. Enter a filter based on repository names, and then choose Add filter.
2. Decide which repositories to scan when an image is pushed:
  - To scan all repositories on push, select Scan on push all repositories.
  - To choose specific repositories to scan on push, enter a filter based on repository names, and then choose Add filter.
Choose Save.
Repeat these steps in each Region in which you want to turn on enhanced scanning.

AWS CLI

Use the following AWS CLI command to turn on enhanced scanning for your private registry using the AWS CLI. You can specify scan filters using the rules object.

put-registry-scanning-configuration (AWS CLI)

The following example turns on enhanced scanning for your private registry. By default, when no rules are specified, Amazon ECR sets the scanning configuration to continuous scanning for all repositories.
```
aws ecr put-registry-scanning-configuration \
     --scan-type ENHANCED \
     --region us-east-2
```
The following example turns on enhanced scanning for your private registry and specifies a scan filter. The scan filter in the example turns on continuous scanning for all repositories with prod in its name.
```
aws ecr put-registry-scanning-configuration \
     --scan-type ENHANCED \
     --rules '[{"repositoryFilters" : [{"filter":"prod","filterType" : "WILDCARD"}],"scanFrequency" : "CONTINUOUS_SCAN"}]' \
     --region us-east-2
```
The following example turns on enhanced scanning for your private registry and specifies multiple scan filters. The scan filters in the example turns on continuous scanning for all repositories with prod in its name and turns on scan on push only for all other repositories.
```
aws ecr put-registry-scanning-configuration \
     --scan-type ENHANCED \
     --rules '[{"repositoryFilters" : [{"filter":"prod","filterType" : "WILDCARD"}],"scanFrequency" : "CONTINUOUS_SCAN"},{"repositoryFilters" : [{"filter":"*","filterType" : "WILDCARD"}],"scanFrequency" : "SCAN_ON_PUSH"}]' \
     --region us-west-2
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Required IAM permissions

Changing the enhanced scanning duration

Configuring enhanced scanning for images in Amazon ECR

To turn on enhanced scanning for your private registry

Important