Configure an AWS ECR Connector to Import Images in CS
The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.
Required Additional License: Tenable.io Container Security
Required User Role: Administrator
To import and analyze images hosted in an Amazon Web Service (AWS) Elastic Container Registry (ECR), you must configure your AWS ECR connector. Tenable.io Container Security then imports the images from your registry and scans the images for vulnerabilities.
The amount of time Tenable.io Container Security takes to scan the images in your registry and display the results depends on the size and number of images you scan.
Note: If you use a connector to import and scan your images, Tenable.io Container Security may take up to several hours to display your images on the dashboard.
If your images do not appear on the dashboard within 24 hours of when you begin the import, contact Tenable Support.
Before you begin:
- Activate your account and log in to Tenable.io Container Security, as described in Log in to CS via the Docker CLI.
- Confirm the images you want to import are stored in your organization's container registry.
To configure a connector to an AWS Elastic Container Registry:
In the Connectors section of the Container Security dashboard, click Create.
Tenable.io opens the Cloud Connectors page, and the Select a Connector plane appears.
- In the Container Security section, click AWS Elastic Container Registry.
- In the URL box, type the fully-qualified domain name of your ECR deployment (e.g.,
- In the User Name box, type AWS.
In the Password box, type the base 64-encoded password used in the
docker logincommand generated by the AWS CLI.
Tip: If your ECR is in the us-east-2 region, you can run the
aws ecr get-login --region us-east-2command to get the
Do one of the following:
To save the connector, click Save.
Note: If you click Save, Tenable.io Container Security saves your configured connector but does not import your assets. To launch a manual import for the connector, see Launch a Connector Import Manually.
To save the connector and import your assets from the registry, click Save & Import.
Note: When you import container images to scan, Tenable.io Container Security may abort the scan if the scan has been running for 60 minutes. If this happen, Scan Failed appears on the Images page in the Vulnerabilities and Malware columns for the aborted images.
If Tenable.io Container Security aborts your scan, try simplifying your images before you import them, as described in the Docker Documentation. Alternatively, you can use the Tenable.io CS Scanner to scan your images without importing them to Tenable.io Container Security.
If Tenable.io Container Security still aborts your scan, contact Tenable Support.
- (Optional) Click Back to configure another connector.
What to do next:
- View the results of your scan, as described in View Scan Results for Container Images.