Manually scanning an image for OS vulnerabilities in
Amazon ECR
If your repositories aren't configured to scan on push, you
can manually start image scans. An image can be scanned once per 24 hours. The 24
hours includes the initial scan on push, if configured, and any manual scans.
For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning in
Amazon ECR.
- AWS Management Console
-
Use the following steps to start a manual image scan using the
AWS Management Console.
- AWS CLI
-
-
start-image-scan (AWS CLI)
The following example uses an image tag.
aws ecr start-image-scan --repository-name name
--image-id imageTag=tag_name
--region us-east-2
The following example uses an image digest.
aws ecr start-image-scan --repository-name name
--image-id imageDigest=sha256_hash
--region us-east-2
- AWS Tools for Windows PowerShell
-
-
Get-ECRImageScanFinding (AWS Tools for Windows PowerShell)
The following example uses an image tag.
Start-ECRImageScan -RepositoryName name
-ImageId_ImageTag tag_name
-Region us-east-2
-Force
The following example uses an image digest.
Start-ECRImageScan -RepositoryName name
-ImageId_ImageDigest sha256_hash
-Region us-east-2
-Force