You can enable image scans on push for your repositories to ensure every image is automatically checked against an aggregated set of Common Vulnerabilities and Exposures (CVEs). This can help you automate detection and responses to container image vulnerabilities prior to promoting and deploying into production. You can also scan images using an API command, allowing you to set up periodic scans for running container images to ensure continued monitoring. ECR notifies you when a scan completes, and results are available in the console and over the API.
Image Scanning for Amazon ECR is available at no additional charge, and you can now use it in all commercial AWS Regions and GovCloud (US). To learn more, see Image Scanning in the Amazon ECR User Guide. To get started, go to the ECR console in your AWS account, or use the CLI to enable ‘scan on push’ for your repositories.