Manually scanning an image for OS vulnerabilities in Amazon ECR

If your repositories aren't configured to scan on push, you can manually start image scans. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans.

For troubleshooting details for some common issues when scanning images, see Troubleshooting image scanning in Amazon ECR.

AWS Management Console

Use the following steps to start a manual image scan using the AWS Management Console.

Open the Amazon ECR console at https://console.aws.amazon.com/ecr/private-registry/repositories
From the navigation bar, choose the Region to create your repository in.
In the navigation pane, choose Repositories.
On the Repositories page, choose the repository that contains the image to scan.
On the Images page, select the image to scan and then choose Scan.

AWS CLI

start-image-scan (AWS CLI)

The following example uses an image tag.


aws ecr start-image-scan --repository-name name --image-id imageTag=tag_name --region us-east-2

The following example uses an image digest.


aws ecr start-image-scan --repository-name name --image-id imageDigest=sha256_hash --region us-east-2

AWS Tools for Windows PowerShell

Get-ECRImageScanFinding (AWS Tools for Windows PowerShell)

The following example uses an image tag.


Start-ECRImageScan -RepositoryName name -ImageId_ImageTag tag_name -Region us-east-2 -Force

The following example uses an image digest.


Start-ECRImageScan -RepositoryName name -ImageId_ImageDigest sha256_hash -Region us-east-2 -Force

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Switching to the improved basic scanning

Retrieving findings