v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_ecr_image_scan_finding - Query Amazon Elastic Container Registry (ECR) Image Scan Findings using SQL

The Amazon Elastic Container Registry (ECR) Image Scan Findings is a feature of AWS ECR that allows you to identify any software vulnerabilities in your Docker images. It uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project. It provides detailed findings, severity levels, and a description of the vulnerabilities.

Table Usage Guide

The aws_ecr_image_scan_finding table in Steampipe provides you with information about Image Scan Findings within Amazon Elastic Container Registry (ECR). This table allows you, as a DevOps engineer, to query specific details about image scan findings, including attributes such as the severity of the finding, description, and package name where the vulnerability was found. You can utilize this table to gather insights on image scan findings, such as identifying high-risk vulnerabilities, verifying package vulnerabilities, and more. The schema outlines the various attributes of the Image Scan Finding for you, including the repository name, image digest, finding severity, and associated metadata.

Important Notes

  • You or your roles that have the AWS managed ReadOnlyAccess policy attached also need to attach the AWS managed AmazonInspector2ReadOnlyAccess policy to query this table.

Examples

List scan findings for an image

Identify potential vulnerabilities in a specific image within a repository. This assists in enhancing the security by highlighting areas of concern and providing insights into the severity and nature of the detected issues.

select
  repository_name,
  image_tag,
  name,
  severity,
  description,
  attributes,
  uri,
  image_scan_status,
  image_scan_completed_at,
  vulnerability_source_updated_at
from
  aws_ecr_image_scan_finding
where
  repository_name = 'my-repo'
  and image_tag = 'my-image-tag';
select
  repository_name,
  image_tag,
  name,
  severity,
  description,
  attributes,
  uri,
  image_scan_status,
  image_scan_completed_at,
  vulnerability_source_updated_at
from
  aws_ecr_image_scan_finding
where
  repository_name = 'my-repo'
  and image_tag = 'my-image-tag';

Get CVEs for all images pushed in the last 24 hours

Explore potential vulnerabilities in your system by identifying Common Vulnerabilities and Exposures (CVEs) in all images that have been pushed in the last 24 hours. This is particularly useful for maintaining system security and identifying areas that may need immediate attention or updates.

select
  f.repository_name,
  f.image_tag,
  f.name,
  f.severity,
  jsonb_pretty(f.attributes) as attributes
from
  (
    select
      repository_name,
      jsonb_array_elements_text(image_tags) as image_tag
    from
      aws_ecr_image as i
    where
      i.image_pushed_at > now() - interval '24' hour
  ) images
  left outer join aws_ecr_image_scan_finding as f on images.repository_name = f.repository_name
  and images.image_tag = f.image_tag;
select
  f.repository_name,
  f.image_tag,
  f.name,
  f.severity,
  f.attributes as attributes
from
  (
    select
      repository_name,
      json_each.value as image_tag
    from
      aws_ecr_image as i,
      json_each(i.image_tags)
    where
      i.image_pushed_at > datetime('now', '-24 hours')
  ) images
  left outer join aws_ecr_image_scan_finding as f on images.repository_name = f.repository_name
  and images.image_tag = f.image_tag;

Schema for aws_ecr_image_scan_finding

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
attributesjsonbA collection of attributes of the host from which the finding is generated.
descriptiontextThe description of the finding.
image_digesttextThe image digest
image_scan_completed_attimestamp with time zoneThe date and time, in JavaScript date format, when the repository was created.
image_scan_statustextThe current state of the scan
image_scan_status_descriptiontextThe description of the image scan status.
image_tagtext=The image tag
nametextThe name associated with the finding, usually a CVE number.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
repository_nametext=The name of the repository.
severitytextThe finding severity.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
uritextA link containing additional details about the security vulnerability.
vulnerability_source_updated_attimestamp with time zoneThe date and time, in JavaScript date format, when the repository was created.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ecr_image_scan_finding