Amazon EC2 Container Registry

2019/10/28 - Amazon EC2 Container Registry - 3 new4 updated api methods

Changes  Update ecr client to latest version

PutImageScanningConfiguration (new) Link ¶

Updates the image scanning configuration for a repository.

See also: AWS API Documentation

Request Syntax

client.put_image_scanning_configuration(
    registryId='string',
    repositoryName='string',
    imageScanningConfiguration={
        'scanOnPush': True|False
    }
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repository in which to update the image scanning configuration setting. If you do not specify a registry, the default registry is assumed.

type repositoryName:

string

param repositoryName:

[REQUIRED]

The name of the repository in which to update the image scanning configuration setting.

type imageScanningConfiguration:

dict

param imageScanningConfiguration:

[REQUIRED]

The image scanning configuration for the repository. This setting determines whether images are scanned for known vulnerabilities after being pushed to the repository.

  • scanOnPush (boolean) --

    The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

rtype:

dict

returns:

Response Syntax

{
    'registryId': 'string',
    'repositoryName': 'string',
    'imageScanningConfiguration': {
        'scanOnPush': True|False
    }
}

Response Structure

  • (dict) --

    • registryId (string) --

      The registry ID associated with the request.

    • repositoryName (string) --

      The repository name associated with the request.

    • imageScanningConfiguration (dict) --

      The image scanning configuration setting for the repository.

      • scanOnPush (boolean) --

        The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

DescribeImageScanFindings (new) Link ¶

Describes the image scan findings for the specified image.

See also: AWS API Documentation

Request Syntax

client.describe_image_scan_findings(
    registryId='string',
    repositoryName='string',
    imageId={
        'imageDigest': 'string',
        'imageTag': 'string'
    },
    nextToken='string',
    maxResults=123
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repository in which to describe the image scan findings for. If you do not specify a registry, the default registry is assumed.

type repositoryName:

string

param repositoryName:

[REQUIRED]

The repository for the image for which to describe the scan findings.

type imageId:

dict

param imageId:

[REQUIRED]

An object with identifying information for an Amazon ECR image.

  • imageDigest (string) --

    The sha256 digest of the image manifest.

  • imageTag (string) --

    The tag used for the image.

type nextToken:

string

param nextToken:

The nextToken value returned from a previous paginated DescribeImageScanFindings request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.

type maxResults:

integer

param maxResults:

The maximum number of image scan results returned by DescribeImageScanFindings in paginated output. When this parameter is used, DescribeImageScanFindings only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeImageScanFindings request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeImageScanFindings returns up to 100 results and a nextToken value, if applicable.

rtype:

dict

returns:

Response Syntax

{
    'registryId': 'string',
    'repositoryName': 'string',
    'imageId': {
        'imageDigest': 'string',
        'imageTag': 'string'
    },
    'imageScanStatus': {
        'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
        'description': 'string'
    },
    'imageScanFindings': {
        'imageScanCompletedAt': datetime(2015, 1, 1),
        'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
        'findings': [
            {
                'name': 'string',
                'description': 'string',
                'uri': 'string',
                'severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'|'UNDEFINED',
                'attributes': [
                    {
                        'key': 'string',
                        'value': 'string'
                    },
                ]
            },
        ],
        'findingSeverityCounts': {
            'string': 123
        }
    },
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • registryId (string) --

      The registry ID associated with the request.

    • repositoryName (string) --

      The repository name associated with the request.

    • imageId (dict) --

      An object with identifying information for an Amazon ECR image.

      • imageDigest (string) --

        The sha256 digest of the image manifest.

      • imageTag (string) --

        The tag used for the image.

    • imageScanStatus (dict) --

      The current state of the scan.

      • status (string) --

        The current state of an image scan.

      • description (string) --

        The description of the image scan status.

    • imageScanFindings (dict) --

      The information contained in the image scan findings.

      • imageScanCompletedAt (datetime) --

        The time of the last completed image scan.

      • vulnerabilitySourceUpdatedAt (datetime) --

        The time when the vulnerability data was last scanned.

      • findings (list) --

        The findings from the image scan.

        • (dict) --

          Contains information about an image scan finding.

          • name (string) --

            The name associated with the finding, usually a CVE number.

          • description (string) --

            The description of the finding.

          • uri (string) --

            A link containing additional details about the security vulnerability.

          • severity (string) --

            The finding severity.

          • attributes (list) --

            A collection of attributes of the host from which the finding is generated.

            • (dict) --

              This data type is used in the ImageScanFinding data type.

              • key (string) --

                The attribute key.

              • value (string) --

                The value assigned to the attribute key.

      • findingSeverityCounts (dict) --

        The image vulnerability counts, sorted by severity.

        • (string) --

          • (integer) --

    • nextToken (string) --

      The nextToken value to include in a future DescribeImageScanFindings request. When the results of a DescribeImageScanFindings request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.

StartImageScan (new) Link ¶

Starts an image vulnerability scan.

See also: AWS API Documentation

Request Syntax

client.start_image_scan(
    registryId='string',
    repositoryName='string',
    imageId={
        'imageDigest': 'string',
        'imageTag': 'string'
    }
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repository in which to start an image scan request. If you do not specify a registry, the default registry is assumed.

type repositoryName:

string

param repositoryName:

[REQUIRED]

The name of the repository that contains the images to scan.

type imageId:

dict

param imageId:

[REQUIRED]

An object with identifying information for an Amazon ECR image.

  • imageDigest (string) --

    The sha256 digest of the image manifest.

  • imageTag (string) --

    The tag used for the image.

rtype:

dict

returns:

Response Syntax

{
    'registryId': 'string',
    'repositoryName': 'string',
    'imageId': {
        'imageDigest': 'string',
        'imageTag': 'string'
    },
    'imageScanStatus': {
        'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
        'description': 'string'
    }
}

Response Structure

  • (dict) --

    • registryId (string) --

      The registry ID associated with the request.

    • repositoryName (string) --

      The repository name associated with the request.

    • imageId (dict) --

      An object with identifying information for an Amazon ECR image.

      • imageDigest (string) --

        The sha256 digest of the image manifest.

      • imageTag (string) --

        The tag used for the image.

    • imageScanStatus (dict) --

      The current state of the scan.

      • status (string) --

        The current state of an image scan.

      • description (string) --

        The description of the image scan status.

CreateRepository (updated) Link ¶
Changes (request, response)
Request
{'imageScanningConfiguration': {'scanOnPush': 'boolean'}}
Response
{'repository': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}

Creates an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images. For more information, see Amazon ECR Repositories in the Amazon Elastic Container Registry User Guide.

See also: AWS API Documentation

Request Syntax

client.create_repository(
    repositoryName='string',
    tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    imageTagMutability='MUTABLE'|'IMMUTABLE',
    imageScanningConfiguration={
        'scanOnPush': True|False
    }
)
type repositoryName:

string

param repositoryName:

[REQUIRED]

The name to use for the repository. The repository name may be specified on its own (such as nginx-web-app) or it can be prepended with a namespace to group the repository into a category (such as project-a/nginx-web-app).

type tags:

list

param tags:

The metadata that you apply to the repository to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.

  • (dict) --

    The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.

    • Key (string) --

      One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

    • Value (string) --

      The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

type imageTagMutability:

string

param imageTagMutability:

The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.

type imageScanningConfiguration:

dict

param imageScanningConfiguration:

The image scanning configuration for the repository. This setting determines whether images are scanned for known vulnerabilities after being pushed to the repository.

  • scanOnPush (boolean) --

    The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

rtype:

dict

returns:

Response Syntax

{
    'repository': {
        'repositoryArn': 'string',
        'registryId': 'string',
        'repositoryName': 'string',
        'repositoryUri': 'string',
        'createdAt': datetime(2015, 1, 1),
        'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
        'imageScanningConfiguration': {
            'scanOnPush': True|False
        }
    }
}

Response Structure

  • (dict) --

    • repository (dict) --

      The repository that was created.

      • repositoryArn (string) --

        The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test.

      • registryId (string) --

        The AWS account ID associated with the registry that contains the repository.

      • repositoryName (string) --

        The name of the repository.

      • repositoryUri (string) --

        The URI for the repository. You can use this URI for Docker push or pull operations.

      • createdAt (datetime) --

        The date and time, in JavaScript date format, when the repository was created.

      • imageTagMutability (string) --

        The tag mutability setting for the repository.

      • imageScanningConfiguration (dict) --

        The image scanning configuration for a repository.

        • scanOnPush (boolean) --

          The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

DeleteRepository (updated) Link ¶
Changes (response)
{'repository': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}

Deletes an existing image repository. If a repository contains images, you must use the force option to delete it.

See also: AWS API Documentation

Request Syntax

client.delete_repository(
    registryId='string',
    repositoryName='string',
    force=True|False
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repository to delete. If you do not specify a registry, the default registry is assumed.

type repositoryName:

string

param repositoryName:

[REQUIRED]

The name of the repository to delete.

type force:

boolean

param force:

If a repository contains images, forces the deletion.

rtype:

dict

returns:

Response Syntax

{
    'repository': {
        'repositoryArn': 'string',
        'registryId': 'string',
        'repositoryName': 'string',
        'repositoryUri': 'string',
        'createdAt': datetime(2015, 1, 1),
        'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
        'imageScanningConfiguration': {
            'scanOnPush': True|False
        }
    }
}

Response Structure

  • (dict) --

    • repository (dict) --

      The repository that was deleted.

      • repositoryArn (string) --

        The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test.

      • registryId (string) --

        The AWS account ID associated with the registry that contains the repository.

      • repositoryName (string) --

        The name of the repository.

      • repositoryUri (string) --

        The URI for the repository. You can use this URI for Docker push or pull operations.

      • createdAt (datetime) --

        The date and time, in JavaScript date format, when the repository was created.

      • imageTagMutability (string) --

        The tag mutability setting for the repository.

      • imageScanningConfiguration (dict) --

        The image scanning configuration for a repository.

        • scanOnPush (boolean) --

          The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

DescribeImages (updated) Link ¶
Changes (response)
{'imageDetails': {'imageScanFindingsSummary': {'findingSeverityCounts': {'INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL | UNDEFINED': 'integer'},
                                               'imageScanCompletedAt': 'timestamp',
                                               'vulnerabilitySourceUpdatedAt': 'timestamp'},
                  'imageScanStatus': {'description': 'string',
                                      'status': 'IN_PROGRESS | COMPLETE | '
                                                'FAILED'}}}

Returns metadata about the images in a repository, including image size, image tags, and creation date.

See also: AWS API Documentation

Request Syntax

client.describe_images(
    registryId='string',
    repositoryName='string',
    imageIds=[
        {
            'imageDigest': 'string',
            'imageTag': 'string'
        },
    ],
    nextToken='string',
    maxResults=123,
    filter={
        'tagStatus': 'TAGGED'|'UNTAGGED'|'ANY'
    }
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repository in which to describe images. If you do not specify a registry, the default registry is assumed.

type repositoryName:

string

param repositoryName:

[REQUIRED]

The repository that contains the images to describe.

type imageIds:

list

param imageIds:

The list of image IDs for the requested repository.

  • (dict) --

    An object with identifying information for an Amazon ECR image.

    • imageDigest (string) --

      The sha256 digest of the image manifest.

    • imageTag (string) --

      The tag used for the image.

type nextToken:

string

param nextToken:

The nextToken value returned from a previous paginated DescribeImages request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return. This option cannot be used when you specify images with imageIds.

type maxResults:

integer

param maxResults:

The maximum number of repository results returned by DescribeImages in paginated output. When this parameter is used, DescribeImages only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeImages request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeImages returns up to 100 results and a nextToken value, if applicable. This option cannot be used when you specify images with imageIds.

type filter:

dict

param filter:

The filter key and value with which to filter your DescribeImages results.

  • tagStatus (string) --

    The tag status with which to filter your DescribeImages results. You can filter results based on whether they are TAGGED or UNTAGGED.

rtype:

dict

returns:

Response Syntax

{
    'imageDetails': [
        {
            'registryId': 'string',
            'repositoryName': 'string',
            'imageDigest': 'string',
            'imageTags': [
                'string',
            ],
            'imageSizeInBytes': 123,
            'imagePushedAt': datetime(2015, 1, 1),
            'imageScanStatus': {
                'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
                'description': 'string'
            },
            'imageScanFindingsSummary': {
                'imageScanCompletedAt': datetime(2015, 1, 1),
                'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
                'findingSeverityCounts': {
                    'string': 123
                }
            }
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • imageDetails (list) --

      A list of ImageDetail objects that contain data about the image.

      • (dict) --

        An object that describes an image returned by a DescribeImages operation.

        • registryId (string) --

          The AWS account ID associated with the registry to which this image belongs.

        • repositoryName (string) --

          The name of the repository to which this image belongs.

        • imageDigest (string) --

          The sha256 digest of the image manifest.

        • imageTags (list) --

          The list of tags associated with this image.

          • (string) --

        • imageSizeInBytes (integer) --

          The size, in bytes, of the image in the repository.

        • imagePushedAt (datetime) --

          The date and time, expressed in standard JavaScript date format, at which the current image was pushed to the repository.

        • imageScanStatus (dict) --

          The current state of the scan.

          • status (string) --

            The current state of an image scan.

          • description (string) --

            The description of the image scan status.

        • imageScanFindingsSummary (dict) --

          A summary of the last completed image scan.

          • imageScanCompletedAt (datetime) --

            The time of the last completed image scan.

          • vulnerabilitySourceUpdatedAt (datetime) --

            The time when the vulnerability data was last scanned.

          • findingSeverityCounts (dict) --

            The image vulnerability counts, sorted by severity.

            • (string) --

              • (integer) --

    • nextToken (string) --

      The nextToken value to include in a future DescribeImages request. When the results of a DescribeImages request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.

DescribeRepositories (updated) Link ¶
Changes (response)
{'repositories': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}

Describes image repositories in a registry.

See also: AWS API Documentation

Request Syntax

client.describe_repositories(
    registryId='string',
    repositoryNames=[
        'string',
    ],
    nextToken='string',
    maxResults=123
)
type registryId:

string

param registryId:

The AWS account ID associated with the registry that contains the repositories to be described. If you do not specify a registry, the default registry is assumed.

type repositoryNames:

list

param repositoryNames:

A list of repositories to describe. If this parameter is omitted, then all repositories in a registry are described.

  • (string) --

type nextToken:

string

param nextToken:

The nextToken value returned from a previous paginated DescribeRepositories request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return. This option cannot be used when you specify repositories with repositoryNames.

type maxResults:

integer

param maxResults:

The maximum number of repository results returned by DescribeRepositories in paginated output. When this parameter is used, DescribeRepositories only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeRepositories request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeRepositories returns up to 100 results and a nextToken value, if applicable. This option cannot be used when you specify repositories with repositoryNames.

rtype:

dict

returns:

Response Syntax

{
    'repositories': [
        {
            'repositoryArn': 'string',
            'registryId': 'string',
            'repositoryName': 'string',
            'repositoryUri': 'string',
            'createdAt': datetime(2015, 1, 1),
            'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
            'imageScanningConfiguration': {
                'scanOnPush': True|False
            }
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • repositories (list) --

      A list of repository objects corresponding to valid repositories.

      • (dict) --

        An object representing a repository.

        • repositoryArn (string) --

          The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test.

        • registryId (string) --

          The AWS account ID associated with the registry that contains the repository.

        • repositoryName (string) --

          The name of the repository.

        • repositoryUri (string) --

          The URI for the repository. You can use this URI for Docker push or pull operations.

        • createdAt (datetime) --

          The date and time, in JavaScript date format, when the repository was created.

        • imageTagMutability (string) --

          The tag mutability setting for the repository.

        • imageScanningConfiguration (dict) --

          The image scanning configuration for a repository.

          • scanOnPush (boolean) --

            The setting that determines whether images are scanned after being pushed to a repository. If set to true, images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.

    • nextToken (string) --

      The nextToken value to include in a future DescribeRepositories request. When the results of a DescribeRepositories request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.