checkov
checkov copied to clipboard
Published
20 hours ago •
bridgecrewio
bridgecrewio
CKV_AWS_163 ScanOnPush setting deprecated on repositories
Describe the issue
The check CKV_AWS_163 should be updated as AWS has deprecated this setting in favor of a registry wide setting.
See the announcement by AWS.
Examples
The following code in Terraform should not trigger the issue as ScanOnPush is properly set on the ECR repo despite missing a image_scanning_configuration.
resource "aws_ecr_registry_scanning_configuration" "configuration" {
scan_type = "BASIC"
rule {
scan_frequency = "SCAN_ON_PUSH"
repository_filter {
filter = "*"
filter_type = "WILDCARD"
}
}
}
resource "aws_ecr_repository" "myrepo" {
name = "my-repo"
image_tag_mutability = "IMMUTABLE"
encryption_configuration {
encryption_type = "KMS"
kms_key = aws_kms_key.ecr.arn
}
}
The check should still trigger if aws_ecr_registry_scanning_configuration is missing, or if the filter does not match the created repo.
Version (please complete the following information):
- Checkov Version
2.2.130
