Table: aws_ecr_registry_scanning_configuration - Query AWS ECR Registry Scanning Configuration using SQL
The AWS ECR Registry Scanning Configurations are defined at the private registry level on a per-region basis. These refer to the settings and policies that govern how Amazon ECR scans your container images for vulnerabilities. Amazon ECR integrates with the Amazon ECR image scanning feature, which automatically scans your Docker and OCI images for software vulnerabilities.
Table Usage Guide
The aws_ecr_registry_scanning_configuration
table in Steampipe provides you with information about the scanning configurations of Amazon Elastic Container Registry (ECR). This table allows you, as a cloud administrator, security team member, or developer, to query the scanning rules associated with the registry. You can utilize this table to gather insights on scanning configurations, such as the rules, the repository filters, and the region name. The schema outlines the various attributes of the scanning configurations for you, including the region, rules, repository filters, scan type and scan frequency.
Examples
Basic configuration info
Analyze the configuration to understand that Amazon ECR scans your container images for vulnerabilities. This is essential for several reasons, primarily centered around security, compliance, and operational efficiency in managing container images.
select registry_id, jsonb_pretty(scanning_configuration), regionfrom aws_ecr_registry_scanning_configuration;
select registry_id, scanning_configuration, regionfrom aws_ecr_registry_scanning_configuration;
Configuration info for a particular region
Determine the scanning configuration of container images for a specific region. This query is beneficial for understanding the scanning configuration of your container images in that particular region.
select registry_id, jsonb_pretty(scanning_configuration), regionfrom aws_ecr_registry_scanning_configurationwhere region = 'ap-south-1';
select registry_id, scanning_configuration, regionfrom aws_ecr_registry_scanning_configurationwhere region = 'ap-south-1';
List the regions where enhanced scanning is enabled
Identify regions where the enhanced scanning is enabled for container images. This helps determine whether enhanced vulnerability scanning features are available through integrations with AWS services or third-party tools.
select registry_id, regionfrom aws_ecr_registry_scanning_configurationwhere scanning_configuration ->> 'ScanType' = 'ENHANCED'
select registry_id, regionfrom aws_ecr_registry_scanning_configurationwhere json_extract(scanning_configuration, '$.ScanType') = 'ENHANCED';
Schema for aws_ecr_registry_scanning_configuration
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
registry_id | text | The ID of the registry. | |
scanning_configuration | jsonb | The scanning configuration for the registry. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ecr_registry_scanning_configuration