Compliance High severity
AWS Security Hub · ECR
ECR.1: Container images are not scanned on push
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub ECR.1 check?
ECR.1 checks that a private ECR repository has image scanning configured. It reports FAILED when scan-on-push is not enabled, so images are stored without any vulnerability assessment.
Why does ECR.1 matter?
A repository pushing images blind means known-vulnerable packages ship to production with no signal. Scanning surfaces CVEs in the layers you deploy, and pairing it with tag immutability ensures a clean image cannot be quietly swapped for a vulnerable one after it has been scanned.
How do I fix ECR.1?
- Inventory repositories and check their scanning configuration.
- Enable scan-on-push at the repository level, or set enhanced scanning at the registry level for continuous rescanning via Amazon Inspector.
- Wire the findings into Security Hub so they sit alongside the rest of your posture.
- Pair scanning with tag immutability so scanned images cannot be replaced.
Remediation script · bash
# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
if [ "$existing" = "None" ]; then
aws guardduty create-detector --enable \
--finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
echo "$region: GuardDuty detector created"
fi
done
# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA
# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTESFull walkthrough (console steps, edge cases and verification) in the lesson Enable threat detection and vulnerability scanning.
Part of the learning path See what's happening