For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
ECR Enhanced Scanning shows false positives for kernel vulnerabilities
I've encountered what I believe to be an unexpected behavior with ECR the past few months where Enhanced Scanning is showing false-positive vulnerabilities around the Linux kernel. It shouldn't be possible for a Docker image to have kernel vulnerabilities since the container is sharing the kernel of its host. This likely means the host servers performing the scans are the ones with these vulnerabilities and those vulnerabilities should not be reported to end users in ECR. Other common vulnerability scanning tools, such as Snyk, are unable to reproduce these same vulnerabilities. I also suspect this is related to the host servers since some of the kernel vulnerabilities that are identified do not match the image's current operating system or operating system version in the Enhanced Scan.
The images we've encountered this problem with have all been based on Ubuntu 20.04 or 22.04. The strange part is I am unable to recreate this behavior with a clean, out-of-the-box Ubuntu image copied directly from DockerHub onto my ECR. I can only recreate the kernel-related false-positives when scanning one of our application containers. It might be possible that one or more system dependencies we install in the image is causing the scanner to go beyond its desired scope to look at the kernel.
The images causing this issue are publicly available. Linked below are the Ubuntu packages we install into the image if anyone could try to recreate the behavior to confirm this as a bug:
- https://github.com/rstudio/rstudio-docker-products/blob/dev/product/base/deps/ubuntu2204_packages.txt
- https://github.com/rstudio/rstudio-docker-products/blob/dev/r-session-complete/Dockerfile.ubuntu2204#L19-L25
Here's a log and a screenshot of the difference in identified vulnerabilities between Snyk and ECR Enhanced Scanning:
https://gist.github.com/ianpittwood/ba42b399f878112aa61a33069b9a55a3
The difference is stark. 100% of the High vulnerabilities picked up by ECR are kernel vulnerabilities whereas those picked up by Snyk are all related to our application's usage of Go and NPM packages.
- Newest
- Most votes
- Most comments
Hi Ian,
This is an interesting issue, and your observations are on point. The false positives appear tied to how the ECR Enhanced Scanning interacts with the kernel of the host performing the scan rather than the actual container image. This often happens when the scanning tool analyzes system dependencies and kernel-related packages beyond the boundaries of the container image.
Here are a few recommendations to help you clarify or work around this behavior:
-
Understand Host-Image Interactions: Since Docker containers share the host kernel, scanning tools can sometimes misinterpret kernel-specific vulnerabilities as being part of the image. You may want to check the version of the host kernel where ECR scanning is running and cross-reference it with the vulnerabilities reported.
-
Use Snyk or Similar Tools for Comparison: Your results with Snyk provide a strong baseline since it doesn’t replicate the kernel-related findings. This supports your hypothesis that the vulnerabilities originate from the host environment rather than the container.
-
Validate Scanning Scope: To reduce noise in ECR Enhanced Scanning, ensure the scan is scoped strictly to the image content. Consider reviewing the scanning configuration or reaching out to AWS Support to confirm how ECR interprets kernel-level vulnerabilities during Enhanced Scans.
-
Test with Known Clean Images: You already mentioned that out-of-the-box Ubuntu 20.04 and 22.04 images did not produce the same results. As a next step, you might isolate dependencies or packages introduced into your custom images that could trigger kernel-related checks.
-
AWS Feedback Loop: If this behavior persists and can be reproduced consistently, I’d recommend opening an AWS Support case or posting to the AWS Containers team for direct insights. Enhanced Scanning is still evolving, and feedback like yours can help improve its accuracy.
Let me know if you need more guidance on this!
Cheers, Aaron 😊
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
