# Scanning Amazon Elastic Container Registry container images with Amazon Inspector
<a name="scanning-ecr"></a>

 Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate [package vulnerability findings](https://docs.aws.amazon.com/). When you activate Amazon ECR scanning, you set Amazon Inspector as the preferred scanning service for your private registry. 

**Note**  
 Amazon ECR uses a registry policy to grant permissions to an AWS principal. This principal has the required permissions to call Amazon Inspector APIs for scanning. When setting the scope of your registry policy, you must not add the `ecr:*` action or `PutRegistryScanningConfiguration` in `deny`. This results in errors at the registry level when enabling and disabling scanning for Amazon ECR. 

 With basic scanning, you can configure your repositories to scan on push or perform manual scans. With enhanced scanning, you scan for operating system and programming language package vulnerabilities at the registry level. For a side-by-side comparison of the differences between basic and enhanced scanning, see the [Amazon Inspector FAQ](https://aws.amazon.com/inspector/faqs/). 

**Note**  
 Basic scanning is provided and billed through Amazon ECR. For more information, see [Amazon Elastic Container Registry pricing](https://aws.amazon.com/ecr/pricing/). Enhanced scanning is provided and billed through Amazon Inspector. For more information, see [Amazon Inspector pricing](https://aws.amazon.com/inspector/pricing/). 

 For information about how to activate Amazon ECR scanning, see [Activating a scan type](https://docs.aws.amazon.com/inspector/latest/user/activate-scans.html). For information about how to view findings, see [Viewing Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-locating-analyzing.html). For information about how to view findings within Amazon ECR at the image level, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon Elastic Container Registry User Guide*. You can manage findings using AWS services not available for basic scanning, like [AWS Security Hub CSPM and Amazon EventBridge](https://docs.aws.amazon.com/inspector/latest/user/integrations.html). 

 You can view the scan configuration for each repository in Amazon Inspector through coverage pages and APIs. However, the configuration settings for basic scanning versus continuous scanning can only be modified in Amazon ECR. Amazon Inspector provides visibility into these settings but does not offer direct modification capabilities. For more information, see [Scan images for software vulnerabilities in Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon ECR User Guide*. 

 This section provides information about Amazon ECR scanning and describes how to configure enhanced scanning for Amazon ECR repositories. 

## Scan behaviors for Amazon ECR scanning
<a name="ecr-scan-behavior"></a>

 When you first activate Amazon ECR scanning, Amazon Inspector detects images pushed within the last 14 days. Amazon Inspector then scans the images and sets the scan statuses to `ACTIVE`. Amazon Inspector will only scan images active in ECR (`imageStatus` field is `ACTIVE`). Images with Archived status in ECR (`imageStatus` field is `ARCHIVED`) are not scanned by Amazon Inspector. 

 If continuous scanning is enabled, Amazon Inspector monitors images as long as they were pushed within 14 days (by default), the last-in-use date is within 14 days (by default), or the images are scanned within the configured re-scan duration. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html). 

For continuous scanning, Amazon Inspector initiates new vulnerability scans of container images in the following situations:
+ Whenever a new container image is pushed.
+ Whenever Amazon Inspector adds a new common vulnerabilities and exposures (CVE) item to its database, and that CVE is relevant to that container image (continuous scanning only).
+ Whenever a container image is transitioned from archived to active in ECR.

If you configure your repository for on push scanning, images are only scanned when you push them.

You can check when a container image was last checked for vulnerabilities from the **Container images** tab on the **Account management** page or by using the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListCoverage.html) API. Amazon Inspector updates the **Last scanned at** field of an Amazon ECR image in response to the following events: 
+ When Amazon Inspector completes an initial scan of a container image.
+ When Amazon Inspector re-scans a container image because a new common vulnerabilities and exposures (CVE) item that impacts that container image was added to the Amazon Inspector database.

### Archived ECR container images
<a name="archived-ecr-images"></a>

 Amazon Inspector does not scan container images archived in ECR (`imageStatus` is `ARCHIVED`). When an active image in ECR is transitioned to archived, Amazon Inspector automatically closes findings and then deletes the findings after 3 days. If an archived container image is transitioned to active in ECR, Amazon Inspector triggers a new scan. 

## Mapping container images to running containers
<a name="ecr-mapping-container-images"></a>

 Amazon Inspector provides comprehensive container security management by mapping container images to running containers across Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS). These mappings provide insights into vulnerabilities for images on running containers. 

**Note**  
 The managed policy `AWSReadOnlyAccess` alone does not provide sufficient permissions to view the mapping between Amazon ECR images and running containers. You need both the `AWSReadOnlyAccess` and `AWSInspector2ReadOnlyAccess` managed policies to view container image mapping information. 

 You can prioritize remediation efforts based on operational risks and maintain security coverage across the entire container ecosystem. You can view how many container images are currently in use and which container images were last used on an Amazon ECS or Amazon EKS cluster in the past 24 hours. You can also view how many Amazon ECS tasks and Amazon EKS pods are deployed. This information can be found in the Amazon Inspector console on the details screen for container image findings and with the `ecrImageInUseCount` and `ecrImageLastInUseAt` filters for the [https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html](https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html) data type. For new container images or accounts, it can take up to 36 hours for data to be available. Afterwards, this data is updated once every 24 hours. For more information, see [Viewing Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-locating-analyzing.html) and [Viewing details for Amazon Inspector findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding-details.html). 

**Note**  
 This data is automatically sent to Amazon ECR findings when you activate Amazon ECR scanning and configure your repository for continuous scanning. Continuous scanning must be configured at the Amazon ECR repository level. For more information, see [Enhanced scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html) in the *Amazon Elastic Container Registry User Guide*. 

 You can also [re-scan container images](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html) from clusters based on their last-in-use date. 

 This feature is also supported on Fargate with Amazon ECS and Amazon EKS. 

## Supported operating systems and media types
<a name="ecr-supported-media"></a>

 For information about supported operating systems, see [Supported operating systems: Amazon ECR scanning with Amazon Inspector](supported.md#supported-os-ecr). 

 Amazon Inspector scans of Amazon ECR repositories cover the following supported media types: 

**Image manifest**
+  `"application/vnd.oci.image.manifest.v1+json"` 
+  `"application/vnd.docker.distribution.manifest.v2+json"` 

**Image configuration**
+  `"application/vnd.docker.container.image.v1+json"` 
+  `"application/vnd.oci.image.config.v1+json"` 

**Image layers**
+  `"application/vnd.docker.image.rootfs.diff.tar"` 
+  `"application/vnd.docker.image.rootfs.diff.tar.gzip"` 
+  `"application/vnd.docker.image.rootfs.foreign.diff.tar.gzip"` 
+  `"application/vnd.oci.image.layer.v1.tar"` 
+  `"application/vnd.oci.image.layer.v1.tar+gzip"` 
+  `"application/vnd.oci.image.layer.v1.tar+zstd"` 
+  `"application/vnd.oci.image.layer.nondistributable.v1.tar"` 
+  `"application/vnd.oci.image.layer.nondistributable.v1.tar+gzip"` 

**Note**  
 Amazon Inspector does not support the `"application/vnd.docker.distribution.manifest.list.v2+json"` media type for the scanning of Amazon ECR repositories. 

# Configuring the Amazon ECR re-scan duration
<a name="scanning_resources_configure_duration_setting_ecr"></a>

 The Amazon ECR re-scan duration setting determines how long Amazon Inspector continuously monitors container images in repositories. You configure the re-scan duration for the image last-in-use date, last pull date, and push date. As a best practice, configure the re-scan duration to best suit your environment. 

 If you build images often, choose a shorter scan duration. For images used over long periods of time, choose a longer scan duration. The default scan duration for new accounts, including new accounts added to an organization, is 14 days. 

 Amazon Inspector will continue to monitor and rescan an image as long as it was last in use on a cluster or pushed within 14 days (by default). If an image hasn’t been pushed or last used on a running container within the configured push and last in use dates, Amazon Inspector stops monitoring it. There is an option to change the setting to monitor images by last pull date instead of the last in use date, if required. When Amazon Inspector stops monitoring an image, it sets the image scan status code to inactive and reason code to expired. Amazon Inspector then schedules all associated image findings to be closed. 

 If you increase the push date duration, Amazon Inspector applies the change to all actively scanned images in repositories configured for continual scanning. However, inactive images remain inactive, even if you push them within the new duration. 

 When you configure the re-scan duration from a delegated administrator account, Amazon Inspector applies the setting to all member accounts in the organization. If the delegated administrator account does not enable Amazon ECR scanning, it cannot view clusters for an API image. 

 For multi-architecture images, the last-in-use date tracking is not supported. When using multi-architecture images, we recommend that you configure scanning based on image pull or push events instead of the last-in-use date to ensure proper re-scanning behavior. 

**Note**  
 All re-scan duration settings configured prior to May 16, 2025, will remain unchanged. You can continue using any default settings previously configured. 

**Image re-scan duration**  
 The image re-scan duration determines how long Amazon Inspector will monitor images. The image re-scan duration includes two modes: **Last in use date** (default) or **Last pull date**. Choose **Last in use date** (default) if you want to use the last in use date from your Amazon ECS/Amazon EKS cluster activity. Choose **Last pull date** if you want to use the last pull date from your Amazon ECR images to re-scan images. The following options are available as re-scan durations: 
+  14 days (default) 
+  30 days 
+  60 days 
+  90 days 
+  180 days 

**Image push date duration**  
 The image push date duration determines how long Amazon Inspector will continuously monitor images after being pushed to repositories. The following options are available as re-scan durations: 
+  14 days (default) 
+  30 days 
+  60 days 
+  90 days 
+  180 days 
+  Lifetime 

**To configure the Amazon ECR re-scan duration**

1.  Sign in using your credentials, and then open the Amazon Inspector console at [https://console.aws.amazon.com/inspector/v2/home](https://console.aws.amazon.com/inspector/v2/home). 

1.  Select the AWS Region where you want to configure the Amazon ECR re-scan duration. 

1.  From the navigation pane, choose **General settings**, and then choose **ECR scanning settings**. 

1.  Under **ECR re-scan duration**, choose the image re-scan mode, and then choose the corresponding duration. 

1.  Under **Image push date**, choose the image push date. 

1.  Choose **Save**. 

## Understanding ECR container image states
<a name="ecr-image-states"></a>

 Inspector only scans `ACTIVE` images in ECR container images. ECR container images in an `ARCHIVED` status are not scanned. To learn more about scanning behaviors, see [Scan behaviors for Amazon ECR scanning](scanning-ecr.md#ecr-scan-behavior). 

 When an ECR container image's image status in ECR transitions to `ACTIVE`, Inspector uses the `lastActivatedAt` field to monitor rescan duration.