By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

About tag of image https://gallery.ecr.aws/amazonlinux/amazonlinux

0

Hi,

I ussing image with tag as below FROM public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230503.0

When I scan with Trivy, result is some vulnerability. I want to update tag to resolve vulnerability. I check doc here: https://gallery.ecr.aws/amazonlinux/amazonlinux and see to tag 2023 and 2023.0.20230607.0 What tag I should choise. Both can resolve vulnerability, but I think tag 2023 is good. It is right?

Can you help me explain this.

Thanks!

Topics
Compute
Tags
Amazon Linux
Language
English
profile picture
Phong Nguyen
asked a year ago241 views
4 Answers
1
Accepted Answer

Hi, by using :2023 as tag, you are sure to get the latest 2023 image.

To confirm, see https://github.com/amazonlinux/amazon-linux-2023 it says:

 Note
To get the latest version of the container image of Amazon Linux 2023, use the tag :2023. 
To get a specific version of the container image, you need to use the tag listed in the 
Amazon ECR Public Gallery -amazonlinux, for example :2023.0.20211222.0. The following 
examples use the tag :2023 and pull the most recent available container image of Amazon Linux 2023.

# docker pull public.ecr.aws/amazonlinux/amazonlinux:2023
profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
profile picture
EXPERT
Riku_Kobayashi
reviewed a year ago
1

Only tag 2023 is listed on supported tags, so 2023 is preffered

Supported tags and respective Dockerfile links 2023.0.20230315.0, 2023, latest 2.0.20230307.0, 2 2018.03.0.20230306.1, 2018.03, 1

https://gallery.ecr.aws/amazonlinux/amazonlinux

profile picture
EXPERT
Hiroki Takahashi
answered a year ago
profile picture
EXPERT
Riku_Kobayashi
reviewed a year ago
  • Hiroki Takahashi EXPERT
    a year ago

    FYI:May be 2023.0.20230607.0 and 2023 are same image since both images updated 5 hours ago. Youcan identify by confirming image digest.

1

Hey!

I think the image have vulnerabilities. Not sure which tag will be suitable. Previously, I used Snyk for image scanning, it auto suggestion non vulnerabilities version for my docker images.

Lastly, If nothing works, then you have to manually scan all tags.

You may revert back to previous version of amazon linux, if security is major concern.

profile picture
sandeepyadav1478
answered a year ago
0

@Riku_Kobayashi , @Riku_Kobayashi, @sandeepyadav1478 Thank for your comment.

Follow version pinning, I will choise 2023.0.20230607.0 , I vulnerability occus, I continue Scan and update image tag.

Thanks!

profile picture
Phong Nguyen
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content