Table: aws_ecr_registry_scanning_configuration - Query AWS ECR Registry Scanning Configuration using SQL

The AWS ECR Registry Scanning Configurations are defined at the private registry level on a per-region basis. These refer to the settings and policies that govern how Amazon ECR scans your container images for vulnerabilities. Amazon ECR integrates with the Amazon ECR image scanning feature, which automatically scans your Docker and OCI images for software vulnerabilities.

Table Usage Guide

The aws_ecr_registry_scanning_configuration table in Steampipe provides you with information about the scanning configurations of Amazon Elastic Container Registry (ECR). This table allows you, as a cloud administrator, security team member, or developer, to query the scanning rules associated with the registry. You can utilize this table to gather insights on scanning configurations, such as the rules, the repository filters, and the region name. The schema outlines the various attributes of the scanning configurations for you, including the region, rules, repository filters, scan type and scan frequency.

Examples

Basic configuration info

Analyze the configuration to understand that Amazon ECR scans your container images for vulnerabilities. This is essential for several reasons, primarily centered around security, compliance, and operational efficiency in managing container images.

select
  registry_id,
  jsonb_pretty(scanning_configuration),
  region
from
  aws_ecr_registry_scanning_configuration;

select
  registry_id,
  scanning_configuration,
  region
from
  aws_ecr_registry_scanning_configuration;

Configuration info for a particular region

Determine the scanning configuration of container images for a specific region. This query is beneficial for understanding the scanning configuration of your container images in that particular region.

select
  registry_id,
  jsonb_pretty(scanning_configuration),
  region
from
  aws_ecr_registry_scanning_configuration
where
  region = 'ap-south-1';

select
  registry_id,
  scanning_configuration,
  region
from
  aws_ecr_registry_scanning_configuration
where
  region = 'ap-south-1';

List the regions where enhanced scanning is enabled

Identify regions where the enhanced scanning is enabled for container images. This helps determine whether enhanced vulnerability scanning features are available through integrations with AWS services or third-party tools.

select
  registry_id,
  region
from
  aws_ecr_registry_scanning_configuration
where
  scanning_configuration ->> 'ScanType' = 'ENHANCED'

select
  registry_id,
  region
from
  aws_ecr_registry_scanning_configuration
where
  json_extract(scanning_configuration, '$.ScanType') = 'ENHANCED';

Control examples

Schema for aws_ecr_registry_scanning_configuration

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
registry_id	text		The ID of the registry.
scanning_configuration	jsonb		The scanning configuration for the registry.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_ecr_registry_scanning_configuration