Posted On: Jun 13, 2023

Starting today, Amazon Elastic Container Registry (ECR) basic scanning feature will use Common Vulnerability Scoring System (CVSS) version 3 information when determining the severity for new Common Vulnerabilities and Exposures (CVEs). This enables customers to get the most recent severity information for vulnerabilities in their ECR container images. We use CVSS information to determine the severity of a vulnerability when the upstream distribution source does not have this information.

Amazon ECR basic scanning enables customers to scan their container images manually or via configurations that specify which repositories should be scanned when an image is pushed. With today’s update, customers will get the latest severity information available. Some existing vulnerabilities may change in severity level based on the new information from CVSS version 3.

ECR Basic Scanning is available in all Amazon Web Services Commercial Regions, including Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about ECR basic scanning and this change, please visit our documentation.