By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECR Results - Basic vs Enhanced Scanning

0

The documentation states that the basic ECR image scan finds OS vulnerabilities, while the enhanced ECR scan finds OS + Language Package vulnerabilities. The documentation implies the basic scan (OS only scan) overlaps completely with the enhanced scan (which is OS + Language Package). This is not true in my experience.

If the result of the enhanced scan in the sum total of the OS scan, basic + the language package scan, I would expect to see all the findings of the basic scan, to also be present in the enhanced scan. This is not the case. When I scan the same image using a basic scan vs an enhanced scan, the enhanced scan actually contains FEWER findings than the basic scan.

Can someone please help me understand the results of the basic vs enhanced scans so that the differences are accounted for?

Topics
ContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic Container Registry (ECR)Amazon Inspector
Language
English
Quin Shanley
asked 3 months ago224 views
1 Answer
0

As per documentation, basic scanning use CVEs from the open-source Clair project. Enhanced scanning is an integration with Amazon Inspector. This suggests both options use different database/scanners.

While enhanced scan may provide fewer findings, it may be due to basic scan generating false positives, or enhanced scan generating false negative . You may want to examine and validate the findings in more detail.

AWS
EXPERT
Mike_L
answered 3 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 3 months ago
  • Didier_Durand EXPERT
    3 months ago

    As the name implies, "Enhanced Scanning" goes deeper into the analysis of issues than "Basic scanning"

  • Quin Shanley
    3 months ago

    Thank you for the quick reply. To follow up on basic vs enhanced using different DBs/scanners. I have a concern that the enhanced scan is potentially missing relevant vulnerabilities. This comes from the basic scan reporting critical vulnerabilities where the enhanced scan of the same image doesn't report the same vulnerabilities.

    In my case, two of the critical vulnerabilities that were reported by the basic scan don't apply to our environment. I'm still investigating the third. I was thinking the enhanced scan was somehow aware of the same critical vulnerabilities, but didn't report them because it was able to determine they don't apply. I really need to confirm if this is the case.

    Is enhanced scanning at least as capable as the basic scanning? I was expecting enhanced scanning to be everything from a basic scan + some additional capability around language packages. What Mike_L is saying seems to be different. Enhanced scanning is an entirely different service, using a different DB from the basic scan, and the report could be missing relevant critical vulnerabilities that would be reported in the basic scan.

  • LMT
    2 months ago

    I would also like to get clarification on whether enhanced scanning is guaranteed to catch and report critical vulnerabilities, same as or similar to what, that the basic scan does.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content