AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-11-22 · Documentation low

File: inspector/latest/user/scanning-ecr.md

Summary

Clarified ECR scanning behavior for ACTIVE vs ARCHIVED images, added details about automatic closure of findings for archived images and triggering scans on status transitions

Security assessment

The changes document operational behaviors rather than addressing vulnerabilities. While archived images not being scanned could impact security posture, this is a documented feature rather than a vulnerability fix. The update improves transparency about security scanning scope.

Diff

diff --git a/inspector/latest/user/scanning-ecr.md b/inspector/latest/user/scanning-ecr.md
index eda9012f2..a9bb66edd 100644
--- a//inspector/latest/user/scanning-ecr.md
+++ b//inspector/latest/user/scanning-ecr.md
@@ -9 +9 @@ Scan behaviors for Amazon ECR scanningMapping container images to running contai
-Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate [package vulnerability findings](). When you activate Amazon ECR scanning, you set Amazon Inspector as the preferred scanning service for your private registry. 
+Amazon Inspector scans container images stored in Amazon Elastic Container Registry for software vulnerabilities to generate [package vulnerability findings](https://docs.aws.amazon.com/). When you activate Amazon ECR scanning, you set Amazon Inspector as the preferred scanning service for your private registry. 
@@ -29 +29,3 @@ This section provides information about Amazon ECR scanning and describes how to
-When you first activate Amazon ECR scanning, Amazon Inspector detects images pushed within the last 14 days. Amazon Inspector then scans the images and sets the scan statuses to `active`. If continuous scanning is enabled, Amazon Inspector monitors images as long as they were pushed within 14 days (by default), the last-in-use date is within 14 days (by default), or the images are scanned within the configured re-scan duration. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html). 
+When you first activate Amazon ECR scanning, Amazon Inspector detects images pushed within the last 14 days. Amazon Inspector then scans the images and sets the scan statuses to `ACTIVE`. Amazon Inspector will only scan images active in ECR (`imageStatus` field is `ACTIVE`). Images with Archived status in ECR (`imageStatus` field is `ARCHIVED`) are not scanned by Amazon Inspector. 
+
+If continuous scanning is enabled, Amazon Inspector monitors images as long as they were pushed within 14 days (by default), the last-in-use date is within 14 days (by default), or the images are scanned within the configured re-scan duration. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html). 
@@ -36,0 +39,2 @@ For continuous scanning, Amazon Inspector initiates new vulnerability scans of c
+  * Whenever a container image is transitioned from archived to active in ECR.
+
@@ -50,0 +55,4 @@ You can check when a container image was last checked for vulnerabilities from t
+### Archived ECR container images
+
+Amazon Inspector does not scan container images archived in ECR (`imageStatus` is `ARCHIVED`). When an active image in ECR is transitioned to archived, Amazon Inspector automatically closes findings and then deletes the findings after 3 days. If an archived container image is transitioned to active in ECR, Amazon Inspector triggers a new scan. 
+