We have turned on Amazon Inspector v2 (15-day trial) and we are scanning both EC2 instances and ECR images (continual scanning). We have container images that are based on the following .NET 6.0 runtime, which itself uses a Debian 11 (bullseye-slim) base image:
mcr.microsoft.com/dotnet/aspnet:6.0
When scanned by Inspector v2 enhanced scanning, there are no vulnerabilities found ("Image is actively being scanned, no vulnerabilities are currently found"). However, when we scan the image locally using docker scan
(which runs on Snyk engine), we can see that there are 38 vulnerabilities found, including 1 critical, 2 high and 35 low vulnerabilities.
Similarly, when scanning a Debian 10 (buster-slim)-based image (e.g. mcr.microsoft.com/dotnet/aspnet:5.0
), we see that some vulnerabilities are reported by enhanced scanning in Inspector v2, while considerably more are found when running docker scan
locally on the image.
Why is Amazon Inspector v2 not reporting on these apparent vulnerabilities?