terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push

profile photo of semgrepsemgrep
Author
1,703
Download Count*

The ECR Repository isn't configured to scan images on push

Run Locally

Run in CI

Defintion

rules:
  - id: ecr-image-scan-on-push
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "aws_ecr_repository" "..." {
            ...
            image_scanning_configuration {
              ...
              scan_on_push=true
              ...
            }
            ...
          }
      - pattern-inside: |
          resource "aws_ecr_repository" "..." {
            ...
          }
    languages:
      - hcl
    message: The ECR Repository isn't configured to scan images on push
    severity: WARNING
    metadata:
      cwe:
        - "CWE-1104: Use of Unmaintained Third Party Components"
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A06:2021 - Vulnerable and Outdated Components
      references:
        - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Other

Examples

ecr-image-scan-on-push.tf

resource "aws_ecr_repository" "foo" {
  name                 = "test-repository"
  image_tag_mutability = "MUTABLE"
  image_scanning_configuration {
    scan_on_push = true
  }
}

# ruleid: ecr-image-scan-on-push
resource "aws_ecr_repository" "foo" {
  name                 = "test-repository"
  image_tag_mutability = "MUTABLE"
  image_scanning_configuration {
    scan_on_push = false
  }
}

# ruleid: ecr-image-scan-on-push
resource "aws_ecr_repository" "repository" {
  name                 = "test-repository"
  image_tag_mutability = "MUTABLE"
  tags = {
    Name = "test-repository"
  }
}