2019/10/28 - Amazon EC2 Container Registry - 3 new 4 updated api methods
Changes This release of Amazon Elastic Container Registry Service (Amazon ECR) introduces support for image scanning. This identifies the software vulnerabilities in the container image based on the Common Vulnerabilities and Exposures (CVE) database.
Updates the image scanning configuration for a repository.
See also: AWS API Documentation
Request Syntax
client.put_image_scanning_configuration(
registryId='string',
repositoryName='string',
imageScanningConfiguration={
'scanOnPush': True|False
}
)
string
The AWS account ID associated with the registry that contains the repository in which to update the image scanning configuration setting. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The name of the repository in which to update the image scanning configuration setting.
dict
[REQUIRED]
The image scanning configuration for the repository. This setting determines whether images are scanned for known vulnerabilities after being pushed to the repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
dict
Response Syntax
{
'registryId': 'string',
'repositoryName': 'string',
'imageScanningConfiguration': {
'scanOnPush': True|False
}
}
Response Structure
(dict) --
registryId (string) --
The registry ID associated with the request.
repositoryName (string) --
The repository name associated with the request.
imageScanningConfiguration (dict) --
The image scanning configuration setting for the repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
Describes the image scan findings for the specified image.
See also: AWS API Documentation
Request Syntax
client.describe_image_scan_findings(
registryId='string',
repositoryName='string',
imageId={
'imageDigest': 'string',
'imageTag': 'string'
},
nextToken='string',
maxResults=123
)
string
The AWS account ID associated with the registry that contains the repository in which to describe the image scan findings for. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The repository for the image for which to describe the scan findings.
dict
[REQUIRED]
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
string
The nextToken value returned from a previous paginated DescribeImageScanFindings request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
integer
The maximum number of image scan results returned by DescribeImageScanFindings in paginated output. When this parameter is used, DescribeImageScanFindings only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeImageScanFindings request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeImageScanFindings returns up to 100 results and a nextToken value, if applicable.
dict
Response Syntax
{
'registryId': 'string',
'repositoryName': 'string',
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'imageScanStatus': {
'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
'description': 'string'
},
'imageScanFindings': {
'imageScanCompletedAt': datetime(2015, 1, 1),
'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
'findings': [
{
'name': 'string',
'description': 'string',
'uri': 'string',
'severity': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'|'UNDEFINED',
'attributes': [
{
'key': 'string',
'value': 'string'
},
]
},
],
'findingSeverityCounts': {
'string': 123
}
},
'nextToken': 'string'
}
Response Structure
(dict) --
registryId (string) --
The registry ID associated with the request.
repositoryName (string) --
The repository name associated with the request.
imageId (dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
imageScanStatus (dict) --
The current state of the scan.
status (string) --
The current state of an image scan.
description (string) --
The description of the image scan status.
imageScanFindings (dict) --
The information contained in the image scan findings.
imageScanCompletedAt (datetime) --
The time of the last completed image scan.
vulnerabilitySourceUpdatedAt (datetime) --
The time when the vulnerability data was last scanned.
findings (list) --
The findings from the image scan.
(dict) --
Contains information about an image scan finding.
name (string) --
The name associated with the finding, usually a CVE number.
description (string) --
The description of the finding.
uri (string) --
A link containing additional details about the security vulnerability.
severity (string) --
The finding severity.
attributes (list) --
A collection of attributes of the host from which the finding is generated.
(dict) --
This data type is used in the ImageScanFinding data type.
key (string) --
The attribute key.
value (string) --
The value assigned to the attribute key.
findingSeverityCounts (dict) --
The image vulnerability counts, sorted by severity.
(string) --
(integer) --
nextToken (string) --
The nextToken value to include in a future DescribeImageScanFindings request. When the results of a DescribeImageScanFindings request exceed maxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
Starts an image vulnerability scan.
See also: AWS API Documentation
Request Syntax
client.start_image_scan(
registryId='string',
repositoryName='string',
imageId={
'imageDigest': 'string',
'imageTag': 'string'
}
)
string
The AWS account ID associated with the registry that contains the repository in which to start an image scan request. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The name of the repository that contains the images to scan.
dict
[REQUIRED]
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
dict
Response Syntax
{
'registryId': 'string',
'repositoryName': 'string',
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'imageScanStatus': {
'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
'description': 'string'
}
}
Response Structure
(dict) --
registryId (string) --
The registry ID associated with the request.
repositoryName (string) --
The repository name associated with the request.
imageId (dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
imageScanStatus (dict) --
The current state of the scan.
status (string) --
The current state of an image scan.
description (string) --
The description of the image scan status.
{'imageScanningConfiguration': {'scanOnPush': 'boolean'}}
Response {'repository': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}
Creates an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images. For more information, see Amazon ECR Repositories in the Amazon Elastic Container Registry User Guide .
See also: AWS API Documentation
Request Syntax
client.create_repository(
repositoryName='string',
tags=[
{
'Key': 'string',
'Value': 'string'
},
],
imageTagMutability='MUTABLE'|'IMMUTABLE',
imageScanningConfiguration={
'scanOnPush': True|False
}
)
string
[REQUIRED]
The name to use for the repository. The repository name may be specified on its own (such as nginx-web-app ) or it can be prepended with a namespace to group the repository into a category (such as project-a/nginx-web-app ).
list
The metadata that you apply to the repository to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
(dict) --
The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
Key (string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Value (string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
dict
The image scanning configuration for the repository. This setting determines whether images are scanned for known vulnerabilities after being pushed to the repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
dict
Response Syntax
{
'repository': {
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
}
}
}
Response Structure
(dict) --
repository (dict) --
The repository that was created.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for Docker push or pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
{'repository': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}
Deletes an existing image repository. If a repository contains images, you must use the force option to delete it.
See also: AWS API Documentation
Request Syntax
client.delete_repository(
registryId='string',
repositoryName='string',
force=True|False
)
string
The AWS account ID associated with the registry that contains the repository to delete. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The name of the repository to delete.
boolean
If a repository contains images, forces the deletion.
dict
Response Syntax
{
'repository': {
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
}
}
}
Response Structure
(dict) --
repository (dict) --
The repository that was deleted.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for Docker push or pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
{'imageDetails': {'imageScanFindingsSummary': {'findingSeverityCounts': {'INFORMATIONAL | LOW | MEDIUM | HIGH | CRITICAL | UNDEFINED': 'integer'},
'imageScanCompletedAt': 'timestamp',
'vulnerabilitySourceUpdatedAt': 'timestamp'},
'imageScanStatus': {'description': 'string',
'status': 'IN_PROGRESS | COMPLETE | '
'FAILED'}}}
Returns metadata about the images in a repository, including image size, image tags, and creation date.
Note
Beginning with Docker version 1.9, the Docker client compresses image layers before pushing them to a V2 Docker registry. The output of the docker images command shows the uncompressed image size, so it may return a larger image size than the image sizes returned by DescribeImages.
See also: AWS API Documentation
Request Syntax
client.describe_images(
registryId='string',
repositoryName='string',
imageIds=[
{
'imageDigest': 'string',
'imageTag': 'string'
},
],
nextToken='string',
maxResults=123,
filter={
'tagStatus': 'TAGGED'|'UNTAGGED'|'ANY'
}
)
string
The AWS account ID associated with the registry that contains the repository in which to describe images. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The repository that contains the images to describe.
list
The list of image IDs for the requested repository.
(dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
string
The nextToken value returned from a previous paginated DescribeImages request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return. This option cannot be used when you specify images with imageIds .
integer
The maximum number of repository results returned by DescribeImages in paginated output. When this parameter is used, DescribeImages only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeImages request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeImages returns up to 100 results and a nextToken value, if applicable. This option cannot be used when you specify images with imageIds .
dict
The filter key and value with which to filter your DescribeImages results.
tagStatus (string) --
The tag status with which to filter your DescribeImages results. You can filter results based on whether they are TAGGED or UNTAGGED .
dict
Response Syntax
{
'imageDetails': [
{
'registryId': 'string',
'repositoryName': 'string',
'imageDigest': 'string',
'imageTags': [
'string',
],
'imageSizeInBytes': 123,
'imagePushedAt': datetime(2015, 1, 1),
'imageScanStatus': {
'status': 'IN_PROGRESS'|'COMPLETE'|'FAILED',
'description': 'string'
},
'imageScanFindingsSummary': {
'imageScanCompletedAt': datetime(2015, 1, 1),
'vulnerabilitySourceUpdatedAt': datetime(2015, 1, 1),
'findingSeverityCounts': {
'string': 123
}
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
imageDetails (list) --
A list of ImageDetail objects that contain data about the image.
(dict) --
An object that describes an image returned by a DescribeImages operation.
registryId (string) --
The AWS account ID associated with the registry to which this image belongs.
repositoryName (string) --
The name of the repository to which this image belongs.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTags (list) --
The list of tags associated with this image.
(string) --
imageSizeInBytes (integer) --
The size, in bytes, of the image in the repository.
Note
Beginning with Docker version 1.9, the Docker client compresses image layers before pushing them to a V2 Docker registry. The output of the docker images command shows the uncompressed image size, so it may return a larger image size than the image sizes returned by DescribeImages.
imagePushedAt (datetime) --
The date and time, expressed in standard JavaScript date format, at which the current image was pushed to the repository.
imageScanStatus (dict) --
The current state of the scan.
status (string) --
The current state of an image scan.
description (string) --
The description of the image scan status.
imageScanFindingsSummary (dict) --
A summary of the last completed image scan.
imageScanCompletedAt (datetime) --
The time of the last completed image scan.
vulnerabilitySourceUpdatedAt (datetime) --
The time when the vulnerability data was last scanned.
findingSeverityCounts (dict) --
The image vulnerability counts, sorted by severity.
(string) --
(integer) --
nextToken (string) --
The nextToken value to include in a future DescribeImages request. When the results of a DescribeImages request exceed maxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
{'repositories': {'imageScanningConfiguration': {'scanOnPush': 'boolean'}}}
Describes image repositories in a registry.
See also: AWS API Documentation
Request Syntax
client.describe_repositories(
registryId='string',
repositoryNames=[
'string',
],
nextToken='string',
maxResults=123
)
string
The AWS account ID associated with the registry that contains the repositories to be described. If you do not specify a registry, the default registry is assumed.
list
A list of repositories to describe. If this parameter is omitted, then all repositories in a registry are described.
(string) --
string
The nextToken value returned from a previous paginated DescribeRepositories request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return. This option cannot be used when you specify repositories with repositoryNames .
Note
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
integer
The maximum number of repository results returned by DescribeRepositories in paginated output. When this parameter is used, DescribeRepositories only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeRepositories request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeRepositories returns up to 100 results and a nextToken value, if applicable. This option cannot be used when you specify repositories with repositoryNames .
dict
Response Syntax
{
'repositories': [
{
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
repositories (list) --
A list of repository objects corresponding to valid repositories.
(dict) --
An object representing a repository.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for Docker push or pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
nextToken (string) --
The nextToken value to include in a future DescribeRepositories request. When the results of a DescribeRepositories request exceed maxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.