Snyk’s integration with AWS ECR means you can automatically scan your container images for vulnerabilities before they ever get deployed.
Let’s see it in action. Imagine you’ve just pushed a new image, my-app:v1.2.0, to your ECR repository.
# You push your image
aws ecr put-image --repository-name my-app --image-tag v1.2.0 --image-manifest <your-manifest-json>
# Snyk automatically detects this push and starts a scan
# You'll see a notification in your Snyk project, or can check via CLI:
snyk container --platform=aws --monitor --file=Dockerfile --exclude-path=./tests
Behind the scenes, Snyk uses AWS EventBridge (formerly CloudWatch Events) to listen for ECR image push events. When a new image is detected, EventBridge triggers a Lambda function, which in turn initiates a Snyk scan. The results are then reported back to your Snyk project.
This integration solves the critical problem of "shift-left" security for containerized applications. Instead of finding out about vulnerabilities in production or during later stages of your CI/CD pipeline, you catch them as soon as an image is built and pushed to ECR. This drastically reduces the cost and effort required to remediate issues.
The core components involved are:
- AWS ECR Repository: Where your container images are stored.
- AWS EventBridge Rule: Configured to trigger on
ECR Image Pushevents. - AWS Lambda Function: The "glue" that receives the EventBridge event, extracts the necessary image details (repository URI, tag), and invokes the Snyk CLI (or Snyk API) to perform the scan.
- Snyk CLI/API: Executes the actual vulnerability analysis against the ECR image.
- Snyk Project: Where scan results are aggregated, visualized, and managed.
You control the integration primarily through the Snyk CLI configuration when you first set up the monitoring, and through IAM permissions that grant Snyk (or the Lambda function acting on its behalf) the necessary access to ECR. The snyk container --monitor --file=Dockerfile --platform=aws command, when run in your CI/CD pipeline or as part of an initial setup, registers the ECR repository and configures the EventBridge/Lambda pipeline for automatic scanning of subsequent pushes.
The --exclude-path flag in the Snyk CLI command is particularly useful here. It allows you to tell Snyk to ignore certain files or directories within your build context when analyzing dependencies. For example, if you have test-specific dependencies in your Dockerfile that aren’t present in your runtime image, you can exclude them to avoid noisy results. snyk container --monitor --file=Dockerfile --platform=aws --exclude-path=./tests would prevent Snyk from analyzing anything within a ./tests directory during the scan.
A common misconception is that Snyk only scans the final image layers. In reality, Snyk analyzes the base image and any application dependencies that are baked into the image during the build process. It inspects the installed packages (e.g., apt, yum, npm, pip, maven) and compares their versions against its vulnerability database. This means you get visibility into vulnerabilities originating from your chosen base images as well as your own application code dependencies.
The next step after integrating ECR scanning is often to automate the remediation process, perhaps by using Snyk’s integrations with Jira or Slack, or by implementing policies that fail builds if critical vulnerabilities are found.