By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

About tag of image https://gallery.ecr.aws/amazonlinux/amazonlinux

0

Hi,

I ussing image with tag as below FROM public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230503.0

When I scan with Trivy, result is some vulnerability. I want to update tag to resolve vulnerability. I check doc here: https://gallery.ecr.aws/amazonlinux/amazonlinux and see to tag 2023 and 2023.0.20230607.0 What tag I should choise. Both can resolve vulnerability, but I think tag 2023 is good. It is right?

Can you help me explain this.

Thanks!

Topics
Compute
Tags
Amazon Linux
Language
English
asked 2 years ago426 views
4 Answers
1
Accepted Answer

Hi, by using :2023 as tag, you are sure to get the latest 2023 image.

To confirm, see https://github.com/amazonlinux/amazon-linux-2023 it says:

 Note
To get the latest version of the container image of Amazon Linux 2023, use the tag :2023. 
To get a specific version of the container image, you need to use the tag listed in the 
Amazon ECR Public Gallery -amazonlinux, for example :2023.0.20211222.0. The following 
examples use the tag :2023 and pull the most recent available container image of Amazon Linux 2023.

# docker pull public.ecr.aws/amazonlinux/amazonlinux:2023
AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
1

Only tag 2023 is listed on supported tags, so 2023 is preffered

Supported tags and respective Dockerfile links 2023.0.20230315.0, 2023, latest 2.0.20230307.0, 2 2018.03.0.20230306.1, 2018.03, 1

https://gallery.ecr.aws/amazonlinux/amazonlinux

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • Hiroki Takahashi EXPERT
    2 years ago

    FYI:May be 2023.0.20230607.0 and 2023 are same image since both images updated 5 hours ago. Youcan identify by confirming image digest.

1

Hey!

I think the image have vulnerabilities. Not sure which tag will be suitable. Previously, I used Snyk for image scanning, it auto suggestion non vulnerabilities version for my docker images.

Lastly, If nothing works, then you have to manually scan all tags.

You may revert back to previous version of amazon linux, if security is major concern.

answered 2 years ago
0

@Riku_Kobayashi , @Riku_Kobayashi, @sandeepyadav1478 Thank for your comment.

Follow version pinning, I will choise 2023.0.20230607.0 , I vulnerability occus, I continue Scan and update image tag.

Thanks!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content