Skip to main content

aws_ecr_image resource

[edit on GitHub]

Use the aws_ecr_image InSpec audit resource to test the properties of a single image in an AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.


An aws_ecr_image resource block declares the tests for a single image in an AWS ECR repository by repository name and image identifier.

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  it { should exist }


The repository name and the image identifier (either image_tag or image_digest) must be provided. The ID of the registry is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.

image_tag (required if image_digest not provided)

The tag used for the image. It can not be longer than 300 characters.

image_digest (required if image_tag not provided)

The sha256 digest of the image manifest. It must satisfy this regex pattern: [a-zA-Z0-9-_+.]+:[a-fA-F0-9]+.

registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.


repository_nameThe name of the repository.
registry_idThe AWS account ID associated with the registry that contains the repository.
tagsThe list of tags associated with this image.
vulnerability_severity_countsThe image vulnerability counts, sorted by severity, e.g. {:high=>1}.
vulnerabilitiesA list of hashes with each key-value pair corresponding to an image scan findings. E.g. {:name=>"CVE-2019-14697", :uri=>"", :severity=>"HIGH", :package_version=>"1.1.18-r3", :package_name=>"musl", :CVSS2_VECTOR=>"AV:N/AC:L/Au:N/C:P/I:P/A:P", :CVSS2_SCORE=>"7.5"}
cve_idsThe list of CVE IDs of the vulnerabilities in the image.
highest_vulnerability_severityThe CVSS v2 score of the most severe vulnerability in the image.

There are also additional properties available. For a comprehensive list, see the API reference documentation


Test the scan status of an image

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('image_scan_status.status') { should eq 'COMPLETE' }

Test that an image has a certain tag

describe aws_ecr_image(repository_name: 'my-repo', image_digest: 'sha256:687fba9b76554c8dea4c40fed4144011f29b8e1d5db5f2fc976c64ed31894967') do
  its('tags') { should include('latest') }

Test that an image does not contain the Heartbleed vulnerability

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('cve_ids') { should_not include('CVE-2014-0160') }

Test that an image does not contain a vulnerability more severe than CVSS v2 score 8

describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
  its('highest_vulnerability_severity') { should be <= 8 }


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.


describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
    it { should exist }

AWS Permissions

Your Principal will need the ecr:DescribeImages and ecr:DescribeImageScanFindings actions set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.