aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

"aws ecr describe-image-scan-findings --max-items" does not work for enhanced image scan configuration

Open twhiteman opened this issue 1 year ago • 1 comments

Describe the bug

I have enabled ECR enhanced image scanning and I have an image that has been pushed and scanned, which contains 4 vulnerabilities (as shown in the ECR console UI).

If I run the following command everything works as expected (it returns all 4 vulnerabilities):

$ aws ecr describe-image-scan-findings --repository-name REPO --image-id imageTag=IMAGETAG | jq '.imageScanFindings.enhancedFindings | length'
4

If I add --max-items CLI parameter, it returns more than I asked for (it returns 4 vulnerabilities, expected 2):

$ aws ecr describe-image-scan-findings --repository-name REPO --image-id imageTag=IMAGETAG --max-items 2  | jq '.imageScanFindings.enhancedFindings | length'
4

Expected Behavior

See description.

Current Behavior

See description.

Reproduction Steps

See description.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.15.43 Python/3.11.8 Linux/6.2.0-35-generic exe/x86_64.ubuntu.22 prompt/off

Environment details (OS name and version, etc.)

Linux Ubuntu 22.04

twhiteman avatar May 01 '24 21:05 twhiteman

Hi @twhiteman thanks for reaching out. Here is the describe-image-scan-findings documentation for reference.

I believe the issue here is that enhancedFindings in the API response is a nested list under imageScanFindings, so --max-items won't get applied directly. I think this command accomplishes what you're trying to do:

aws ecr describe-image-scan-findings --repository-name aws-batch-demo --image-id imageTag=latest | jq '.imageScanFindings.enhancedFindings | .[:2]'

For more information on how --max-items is used you can refer to the CLI pagination documentation. I think the DescribeImageScanFindings API is somewhat unique compared to other APIs in that it includes both enhancedFindings and basic findings in the response output.

I actually reached out to the ECR team a while back (tracked in https://github.com/aws/aws-sdk/issues/370) asking for clarification on how maxResults gets applied. It looks like that clarification was never added so I just reached out again regarding that.

tim-finnigan avatar May 03 '24 19:05 tim-finnigan

aws ecr image describe scan for the main portal values in it paste drop or click to add files in it.security policy.labels in it are also different foer differen traige and vogue files of it.302029 is still in the bandage process do verifythe settings in it for further initiation and prototype bounding courses in it.

amberkushwaha avatar May 07 '24 05:05 amberkushwaha

I'm not clear on the comment above but it looks like this issue can be closed, as my earlier comment provides a workaround and describes why --max-items isn't getting applied. If further clarity is needed here please use the Provide feedback link on the API documentation page or CLI pagination page

tim-finnigan avatar May 07 '24 16:05 tim-finnigan

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar May 07 '24 16:05 github-actions[bot]