Posted On: Jun 13, 2023

Starting today, Amazon Elastic Container Registry (ECR) basic scanning feature will use Common Vulnerability Scoring System (CVSS) version 3 information when determining the severity for new Common Vulnerabilities and Exposures (CVEs). This enables customers to get the most recent severity information for vulnerabilities in their ECR container images. We use CVSS information to determine the severity of a vulnerability when the upstream distribution source does not have this information.

Amazon ECR basic scanning enables customers to scan their container images manually or via configurations that specify which repositories should be scanned when an image is pushed. With today’s update, customers will get the latest severity information available in the U.S. National Vulnerability Database (NVD). Some existing vulnerabilities may change in severity level based on the new information from CVSS version 3.

ECR Basic Scanning is available in all AWS Commercial, China (Beijing, operated by Sinnet), China (Ningxia, operated by NWCD), and the AWS GovCloud (US) Regions. To learn more about ECR basic scanning and this change, please visit our documentation.