AWS023

ECR repository has image scans disabled.

Explanation

Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

Insecure Example

The following example will fail the AWS023 check.

resource "aws_ecr_repository" "foo" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = false
  }
}

Secure Example

The following example will pass the AWS023 check.

resource "aws_ecr_repository" "foo" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}