Unscanned ECR Image
- Query id: 9025b2b3-e554-4842-ba87-db7aeec36d35
- Query name: Unscanned ECR Image
- Platform: CloudFormation
- Severity: Low
- Category: Observability
- CWE: 693
- URL: Github
Description¶
Checks if the ECR Image has been scanned
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-11"
Resources:
MyRepository3:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
-
Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- "arn:aws:iam::123456789012:user/Bob"
- "arn:aws:iam::123456789012:user/Alice"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-11"
Resources:
MyRepository4:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
ImageScanningConfiguration:
ScanOnPush: "false"
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyRepository5": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "test-repository",
"RepositoryPolicyText": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
}
}
}
}