Amazon ECR provides two versions of basic scanning that use the Common Vulnerabilities and Exposures (CVEs) database:
AWS native basic scanning â Uses AWS native technology, which is now GA and recommended. This improved basic scanning is designed to provide customers with better scanning results and vulnerability detection across a broad set of popular operating systems. This allows customers to further strengthen the security of their container images. All new customer registries are opted into this improved version by default.
Clair basic scanning â The previous basic scanning version which uses the open-source Clair project and is deprecated. For more information about Clair, see Clair on GitHub.
Both AWS native and Clair basic scanning are supported in all regions listed in AWS Services by Region, except for those that were added after September, 2024. Because Clair support is deprecated, Clair will not be supported in new regions as they are added and will no longer be supported in all regions as of October 1, 2025.
Amazon ECR uses the severity for a CVE from the upstream distribution source if available. Otherwise, the Common Vulnerability Scoring System (CVSS) score is used. The CVSS score can be used to obtain the NVD vulnerability severity rating. For more information, see NVD Vulnerability Severity Ratings.
Both versions of Amazon ECR basic scanning support filters to specify which repositories to scan on push. Any repositories that don't match a scan on push filter are set to the manual scan frequency which means you must manually start the scan. An image can be scanned once per 24 hours. The 24 hours includes the initial scan on push, if configured, and any manual scans. With basic scanning, you can scan up to 100,000 images per 24 hours in a given registry. The 100,000 limit includes both initial scan on push and manual scans, across both Clair and improved version of basic scanning.
The last completed image scan findings can be retrieved for each image. When an image scan is completed, Amazon ECR sends an event to Amazon EventBridge. For more information, see Amazon ECR events and EventBridge.
Operating system support for basic scanning and improved basic scanningAs a security best practice and for continued coverage, we recommend that you continue to use supported versions of an operating system. In accordance with vendor policy, discontinued operating systems are no longer updated with patches and, in many cases, new security advisories are no longer released for them. In addition, some vendors remove existing security advisories and detections from their feeds when an affected operating system reaches the end of standard support. After a distribution loses support from its vendor, Amazon ECR may no longer support scanning it for vulnerabilities. Any findings that Amazon ECR does generate for a discontinued operating system should be used for informational purposes only. Listed below are the current supported operating systems and versions.
Operating System Version AWS native basic Clair basic Alpine Linux (Alpine) 3.18 Yes Yes Alpine Linux (Alpine) 3.19 Yes Yes Alpine Linux (Alpine) 3.20 Yes Yes Alpine Linux (Alpine) 3.21 Yes No AlmaLinux 8 Yes No AlmaLinux 9 Yes No Amazon Linux 2 (AL2) AL2 Yes Yes Amazon Linux 2023(AL2023) AL2023 Yes Yes Debian Server (Bookworm) 12 Yes Yes Debian Server (Bullseye) 11 Yes Yes Fedora 40 Yes No Fedora 41 Yes No OpenSUSE Leap 15.6 Yes No Oracle Linux (Oracle) 9 Yes Yes Oracle Linux (Oracle) 8 Yes Yes Photon OS 4 Yes No Photon OS 5 Yes No Red Hat Enterprise Linux (RHEL) 8 Yes Yes Red Hat Enterprise Linux (RHEL) 9 Yes Yes Rocky Linux 8 Yes No Rocky Linux 9 Yes No SUSE Linux Enterprise Server (SLES) 15.6 Yes No Ubuntu (Xenial) 16.04 (ESM) Yes Yes Ubuntu (Bionic) 18.04 (ESM) Yes Yes Ubuntu (Focal) 20.04 (LTS) Yes Yes Ubuntu (Jammy) 22.04 (LTS) Yes Yes Ubuntu (Noble Numbat) 24.04 Yes No Ubuntu (Oracular Oriole)) 24.10 Yes NoRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4