loading
loading
Containers
Trivy vulnerability scanning for container images stored in Amazon ECR.
overview
trivy-ecr-scan runs Aqua Security's Trivy against container images pulled from Amazon Elastic Container Registry. It logs into ECR with the AWS credentials you supply, reads a list of images, and scans each one for known vulnerabilities in both the OS packages and the application libraries baked into the layers. The result is a per-image inventory of CVEs you can gate a pipeline on.
It is tuned for registry workflows. You feed it a file of image references and a colon-separated AWS credential string, then shape the scan with the usual Trivy knobs: filter by severity, restrict to OS or library vulnerability types, ignore unfixed issues, and set an exit code so a build fails when something serious turns up. Output formats include table, JSON, and SARIF so findings flow into dashboards and code-scanning tools.
On Trickest, trivy-ecr-scan is a Containers-category node that takes an image list and ECR credentials and writes a folder of results. Reach for it to scan the images your build pushes to ECR, on a schedule or as a release gate, and route the findings into reporting downstream.
use cases
Log into ECR with AWS credentials and scan a list of registry images for OS and library CVEs, so the artifacts you ship get checked where they live.
Filter to HIGH and CRITICAL with --severity and set --exit-code so a build fails when a serious vulnerability appears, stopping a risky image before it deploys.
Turn on --ignore-unfixed so the report lists only vulnerabilities with an available patch, keeping the triage queue to issues you can remediate now.
Emit JSON or SARIF with --format so the scan results flow into code-scanning tools and reporting instead of staying as console output.
Wire the node into a scheduled workflow so every image in ECR gets re-scanned against a fresh vulnerability database as new CVEs are published.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| image-list | FILE | · | List of images, one per line, to scan. |
| aws-credentials | FILE | · | ECR login as AWS_ACCESS_KEY_ID:AWS_SECRET_ACCESS_KEY:AWS_DEFAULT_REGION. |
| severity | STRING | --severity | Severities to display (default UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL). |
| format | STRING | --format | Output format: table, json, sarif, or template (default table). |
| vuln-type | STRING | --vuln-type | Vulnerability types to scan: os, library (default os,library). |
| exit-code | STRING | --exit-code | Exit code to return when vulnerabilities are found (default 0). |
| ignore-unfixed | BOOLEAN | --ignore-unfixed | Display only vulnerabilities that have a fix available. |
| security-checks | STRING | --security-checks | Security issues to detect: vuln, config (default vuln). |
Showing key inputs. trivy-ecr-scan exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| light | BOOLEAN | --light | deprecated (default false) |
| format | STRING | --format | output format: table, json, sarif, template (default table) |
| timeout | STRING | --timeout | scan timeout (default 5m0s) |
| insecure | BOOLEAN | --insecure | allow insecure server connections over SSL (default false) |
| severity | STRING | --severity | severities to display, comma separated (default UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) |
| exit-code | STRING | --exit-code | exit code returned when vulnerabilities are found (default 0) |
| skip-dirs | STRING | --skip-dirs | directories where traversal is skipped |
| vuln-type | STRING | --vuln-type | comma-separated vulnerability types: os, library (default os,library) |
| image-list | FILE | · | list of images, one per line, to be scanned |
| skip-files | STRING | --skip-files | file paths to skip during traversal |
| no-progress | BOOLEAN | --no-progress | suppress the progress bar (default false) |
| removed-pkgs | BOOLEAN | --removed-pkgs | detect vulnerabilities in removed packages, Alpine only (default false) |
| ignore-policy | FILE | --ignore-policy | Rego file used to evaluate each vulnerability |
| list-all-pkgs | BOOLEAN | --list-all-pkgs | output all packages regardless of vulnerability (default false) |
| ignore-unfixed | BOOLEAN | --ignore-unfixed | display only vulnerabilities that have a fix (default false) |
| skip-db-update | BOOLEAN | --skip-db-update | skip updating the vulnerability database (default false) |
| aws-credentials | FILE | · | ECR login as AWS_ACCESS_KEY_ID:AWS_SECRET_ACCESS_KEY:AWS_DEFAULT_REGION (colon-separated) |
| security-checks | STRING | --security-checks | comma-separated security issues to detect: vuln, config (default vuln) |
example
# fail the build on fixable HIGH/CRITICAL CVEs in an ECR imagetrivy image --severity HIGH,CRITICAL --ignore-unfixed --exit-code 1 \ 111122223333.dkr.ecr.us-east-1.amazonaws.com/example/api:latestexample/api:latest (debian 12.4)Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 4, CRITICAL: 1) ┌──────────┬────────────────┬──────────┬──────────┬───────────────┬──────────────────────────────┐│ Library │ Vulnerability │ Severity │ Status │ Installed Ver │ Title │├──────────┼────────────────┼──────────┼──────────┼───────────────┼──────────────────────────────┤│ libssl3 │ CVE-2024-6119 │ HIGH │ fixed │ 3.0.11-1 │ openssl: denial of service ││ libc6 │ CVE-2023-4911 │ CRITICAL │ fixed │ 2.36-9 │ glibc: buffer overflow ld.so ││ zlib1g │ CVE-2023-45853 │ HIGH │ affected │ 1.2.13.dfsg-1 │ zlib: integer overflow │└──────────┴────────────────┴──────────┴──────────┴───────────────┴──────────────────────────────┘guidance
Use trivy-ecr-scan when your images live in Amazon ECR and you want them scanned where they are stored, with AWS login handled for you. For images in Docker Hub or another registry, or for local images, use trivy-image-scan instead.
Scans images from any registry or locally. Use it when the images are not in ECR.
Hunts secrets in code and artifacts. Pair it with Trivy to cover leaked credentials alongside CVEs.
Tests running services for issues. Trivy inspects the image contents; the two cover different layers.
faq
related
An image list and ECR credentials feed trivy-ecr-scan, which pulls each image, scans it for CVEs, and writes the vulnerabilities as an output.
Facts on this page come from the live Trickest tool library.