ECR Image Registry Scanning

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. It hosts your container images in a highly available and scalable architecture, allowing you to reliably deploy containers for your applications.

Once a new image is pushed to Amazon ECR, this is picked up by Amazon EventBridge and passed to a Lambda function which creates an ephemeral CodeBuild task to build and scan the base image.

AWS CodeBuild is a fully managed continuous integration service. CodeBuild compiles source code, runs tests, and produces deployable software packages without the need to provision, manage, and scale your own build servers.

CodeBuild in progress A CodeBuild pipeline run in progress

The results of the scan are then sent to the Sysdig Secure backend. You are not required to configure, or expose, the registry on the Sysdig Secure side. Also, the image itself is not sent to Sysdig, but only the image metadata.

CodeBuild result Result of the CodeBuild pipeline execution

Although the scan actually happens within this AWS pipeline, you maintain the scanning policies and view results within Sysdig.

You don’t have to check these resources in AWS, just visit your Sysdig account to find the reports for all images scanned.

Image Scan report Image scan report

Visit the AWS Workshop for hands-on training

For more information and hands-on training on this and other features of Sysdig Secure for cloud, visit the official AWS Workshop at:

Continue to next sections

Ready to learn more about all of the security capabilities?

Visit the Threat Detection based on CloudTrail section.
Visit the Cloud Security Posture Management and Compliance section.
Visit the ECR Image Registry Scanning section.
Visit the Fargate Image Scanning section.

Please visit any of the following sections for more information: