DescribeImageScanFindings
Returns the scan findings for the specified image.
Request Syntax
{
"imageId": {
"imageDigest": "string",
"imageTag": "string"
},
"maxResults": number,
"nextToken": "string",
"registryId": "string",
"repositoryName": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- imageId
-
An object with identifying information for an image in an Amazon ECR repository.
Type: ImageIdentifier object
Required: Yes
- maxResults
-
The maximum number of image scan results returned by
DescribeImageScanFindingsin paginated output. When this parameter is used,DescribeImageScanFindingsonly returnsmaxResultsresults in a single page along with anextTokenresponse element. The remaining results of the initial request can be seen by sending anotherDescribeImageScanFindingsrequest with the returnednextTokenvalue. This value can be between 1 and 1000. If this parameter is not used, thenDescribeImageScanFindingsreturns up to 100 results and anextTokenvalue, if applicable.Type: Integer
Valid Range: Minimum value of 1. Maximum value of 1000.
Required: No
- nextToken
-
The
nextTokenvalue returned from a previous paginatedDescribeImageScanFindingsrequest wheremaxResultswas used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned thenextTokenvalue. This value is null when there are no more results to return.Type: String
Required: No
- registryId
-
The AWS account ID associated with the registry that contains the repository in which to describe the image scan findings for. If you do not specify a registry, the default registry is assumed.
Type: String
Pattern:
[0-9]{12}Required: No
- repositoryName
-
The repository for the image for which to describe the scan findings.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 256.
Pattern:
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*Required: Yes
Response Syntax
{
"imageId": {
"imageDigest": "string",
"imageTag": "string"
},
"imageScanFindings": {
"enhancedFindings": [
{
"awsAccountId": "string",
"description": "string",
"exploitAvailable": "string",
"findingArn": "string",
"firstObservedAt": number,
"fixAvailable": "string",
"lastObservedAt": number,
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": number,
"scoringVector": "string",
"source": "string",
"version": "string"
}
],
"referenceUrls": [ "string" ],
"relatedVulnerabilities": [ "string" ],
"source": "string",
"sourceUrl": "string",
"vendorCreatedAt": number,
"vendorSeverity": "string",
"vendorUpdatedAt": number,
"vulnerabilityId": "string",
"vulnerablePackages": [
{
"arch": "string",
"epoch": number,
"filePath": "string",
"fixedInVersion": "string",
"name": "string",
"packageManager": "string",
"release": "string",
"sourceLayerHash": "string",
"version": "string"
}
]
},
"remediation": {
"recommendation": {
"text": "string",
"url": "string"
}
},
"resources": [
{
"details": {
"awsEcrContainerImage": {
"architecture": "string",
"author": "string",
"imageHash": "string",
"imageTags": [ "string" ],
"inUseCount": number,
"lastInUseAt": number,
"platform": "string",
"pushedAt": number,
"registry": "string",
"repositoryName": "string"
}
},
"id": "string",
"tags": {
"string" : "string"
},
"type": "string"
}
],
"score": number,
"scoreDetails": {
"cvss": {
"adjustments": [
{
"metric": "string",
"reason": "string"
}
],
"score": number,
"scoreSource": "string",
"scoringVector": "string",
"version": "string"
}
},
"severity": "string",
"status": "string",
"title": "string",
"type": "string",
"updatedAt": number
}
],
"findings": [
{
"attributes": [
{
"key": "string",
"value": "string"
}
],
"description": "string",
"name": "string",
"severity": "string",
"uri": "string"
}
],
"findingSeverityCounts": {
"string" : number
},
"imageScanCompletedAt": number,
"vulnerabilitySourceUpdatedAt": number
},
"imageScanStatus": {
"description": "string",
"status": "string"
},
"nextToken": "string",
"registryId": "string",
"repositoryName": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- imageId
-
An object with identifying information for an image in an Amazon ECR repository.
Type: ImageIdentifier object
- imageScanFindings
-
The information contained in the image scan findings.
Type: ImageScanFindings object
- imageScanStatus
-
The current state of the scan.
Type: ImageScanStatus object
- nextToken
-
The
nextTokenvalue to include in a futureDescribeImageScanFindingsrequest. When the results of aDescribeImageScanFindingsrequest exceedmaxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.Type: String
- registryId
-
The registry ID associated with the request.
Type: String
Pattern:
[0-9]{12} - repositoryName
-
The repository name associated with the request.
Type: String
Length Constraints: Minimum length of 2. Maximum length of 256.
Pattern:
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*
Errors
For information about the errors that are common to all actions, see Common Errors.
- ImageNotFoundException
-
The image requested does not exist in the specified repository.
HTTP Status Code: 400
- InvalidParameterException
-
The specified parameter is invalid. Review the available parameters for the API request.
- message
-
The error message associated with the exception.
HTTP Status Code: 400
- RepositoryNotFoundException
-
The specified repository could not be found. Check the spelling of the specified repository and ensure that you are performing operations on the correct registry.
- message
-
The error message associated with the exception.
HTTP Status Code: 400
- ScanNotFoundException
-
The specified image scan could not be found. Ensure that image scanning is enabled on the repository and try again.
HTTP Status Code: 400
- ServerException
-
These errors are usually caused by a server-side issue.
- message
-
The error message associated with the exception.
HTTP Status Code: 500
- ValidationException
-
There was an exception validating this request.
HTTP Status Code: 400
Examples
In the following example or examples, the Authorization header contents
(AUTHPARAMS) must be replaced with an AWS Signature Version 4
signature. For more information about creating these signatures, see Signature
Version 4 Signing Process in the
AWS General
Reference.
You only need to learn how to sign HTTP requests if you intend to manually
create them. When you use the AWS Command Line Interface (AWS CLI)
Example for basic image scanning
This example returns the image scan findings for an image using the image
digest in a repository named sample-repo in the default registry
for an account.
Sample Request
POST / HTTP/1.1
Host: ecr.us-west-2.amazonaws.com
Accept-Encoding: identity
Content-Length: 141
X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.DescribeImageScanFindings
X-Amz-Date: 20200124T034807Z
User-Agent: aws-cli/1.16.310 Python/3.6.1 Darwin/18.7.0 botocore/1.13.46
Content-Type: application/x-amz-json-1.1
Authorization: AUTHPARAMS
{
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
}
}Sample Response
HTTP/1.1 200 OK
Server: Server
Date: Fri, 24 Jan 2020 03:48:07 GMT
Content-Type: application/x-amz-json-1.1
Content-Length: 33967
Connection: keep-alive
x-amzn-RequestId: 3081a92b-2066-41f8-8a47-0580288ada9e
{
"imageScanFindings": {
"findings": [
{
"name": "CVE-2019-5188",
"description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
"uri": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188",
"severity": "MEDIUM",
"attributes": [
{
"key": "package_version",
"value": "1.44.1-1ubuntu1.1"
},
{
"key": "package_name",
"value": "e2fsprogs"
},
{
"key": "CVSS2_VECTOR",
"value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"
},
{
"key": "CVSS2_SCORE",
"value": "4.6"
}
]
}
],
"imageScanCompletedAt": 1579839105.0,
"vulnerabilitySourceUpdatedAt": 1579811117.0,
"findingSeverityCounts": {
"MEDIUM": 1
}
},
"registryId": "012345678910",
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
},
"imageScanStatus": {
"status": "COMPLETE",
"description": "The scan was completed successfully."
}
}Example for enhanced image scanning
This example illustrates one usage of DescribeImageScanFindings.
Sample Request
POST / HTTP/1.1
Host: ecr.us-west-2.amazonaws.com
Accept-Encoding: identity
Content-Length: 141
X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.DescribeImageScanFindings
X-Amz-Date: 20250610T201255Z
User-Agent: aws-cli/1.16.310 Python/3.6.1 Darwin/18.7.0 botocore/1.13.46
Content-Type: application/x-amz-json-1.1
Authorization: AUTHPARAMS
{
"registryId": "123456789012",
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
}
}
Sample Response
HTTP/1.1 200 OK
Server: Server
Date: Mon, 10 Jun 2025 20:12:55 GMT
Content-Type: application/x-amz-json-1.1
Content-Length: 33967
Connection: keep-alive
x-amzn-RequestId: 3081a92b-2066-41f8-8a47-0580288ada9e
{
"imageScanFindings": {
"enhancedFindings": [
{
"awsAccountId": "123456789012",
"description": "xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.",
"findingArn": "arn:aws:inspector2:us-west-2:123456789012:finding/123456789012123456789012",
"firstObservedAt": "2025-05-27T17:54:07.765000+00:00",
"lastObservedAt": "2025-06-09T07:08:40.144000+00:00",
"packageVulnerabilityDetails": {
"cvss": [
{
"baseScore": 8.1,
"scoringVector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"source": "NVD",
"version": "3.1"
}
],
"referenceUrls": [
"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094238",
"https://security-tracker.debian.org/tracker/CVE-2022-49043"
],
"relatedVulnerabilities": [],
"source": "DEBIAN_CVE",
"sourceUrl": "https://security-tracker.debian.org/tracker/CVE-2022-49043",
"vendorSeverity": "not yet assigned",
"vulnerabilityId": "CVE-2022-49043",
"vulnerablePackages": [
{
"arch": "AMD64",
"epoch": 0,
"name": "libxml2",
"packageManager": "OS",
"release": "1.3~deb12u1",
"sourceLayerHash": "sha256:deb7d8874f38d4ec281d990aac2c7badbfcd5b97d602a388056e3f918a3f8cc7",
"version": "2.9.14+dfsg",
"fixedInVersion": "NotAvailable"
}
]
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"resources": [
{
"details": {
"awsEcrContainerImage": {
"architecture": "amd64",
"imageHash": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6",
"imageTags": [
"latest"
],
"platform": "DEBIAN_12",
"pushedAt": "2025-05-27T17:53:50.554000+00:00",
"lastInUseAt": "2025-06-09T04:43:20.427000+00:00",
"inUseCount": 1,
"registry": "123456789012",
"repositoryName": "sample-repo"
}
},
"id": "arn:aws:ecr:us-west-2:123456789012:repository/sample-repo/sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6",
"tags": {},
"type": "AWS_ECR_CONTAINER_IMAGE"
}
],
"score": 8.1,
"scoreDetails": {
"cvss": {
"adjustments": [],
"score": 8.1,
"scoreSource": "NVD",
"scoringVector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2022-49043 - libxml2",
"type": "PACKAGE_VULNERABILITY",
"updatedAt": "2025-06-09T07:08:40.144000+00:00",
"fixAvailable": "NO",
"exploitAvailable": "NO"
},
],
"imageScanCompletedAt": "2025-06-09T07:08:40.144000+00:00",
"vulnerabilitySourceUpdatedAt": "2025-06-09T07:08:40.144000+00:00",
"findingSeverityCounts": {
"HIGH": 1,
}
},
"registryId": "123456789012",
"repositoryName": "sample-repo",
"imageId": {
"imageDigest": "sha256:74b2c688c700ec95a93e478cdb959737c148df3fbf5ea706abe0318726e885e6"
},
"imageScanStatus": {
"status": "ACTIVE",
"description": "Continuous scan is selected for image."
}
} See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
