AWS ECR (Inspector2) Enhanced scanning does not scan several of a few hundreds images

By any chance, do the images have SCAN_ELIGIBILITY_EXPIRED status. If so, those won't be scanned. To enable scanning, you need to push the images again.

This does sound similar to an issue I ran into recently with ECR Enhanced Scanning (Inspector2). A few of my images just stayed in “Active” with continuous scanning enabled, but no findings ever appeared. In my case, it turned out the images had some metadata issues that caused Inspector2 to skip them silently — for example, missing or malformed OS/package data in the manifest.

One way to troubleshoot is to run a local vulnerability scan on one of the affected images (e.g., using trivy or grype) to confirm that the image has a valid SBOM and CVE data. If that looks normal, I’d open an AWS Support case. This might actually be a bug or a backend delay, especially if the majority of your images are working fine and there’s no clear difference between them.

Unfortunately, there’s no way to manually force a re-scan with Enhanced Scanning (only Basic Scanning has that), so AWS Support is usually the fastest way to get confirmation or a fix.

This is a known quirk — some images don’t get scanned if Inspector2 can’t generate a software bill of materials (SBOM) from the image. This can happen if:

The image is missing standard package metadata (common with very slim Ubuntu/Debian base images).

The manifest format is non-standard or multi-arch images are missing x86_64 layers.

You can verify by scanning the image locally with a tool like trivy — if no packages are detected, Inspector2 will also skip it silently.

If the images do have valid metadata but still aren’t scanned, I’d open an AWS support case. There have been backend bugs where some repos get “stuck” and don’t schedule scans until AWS resets them.

This doesn't appear to be a bug, but rather a limitation of how Amazon ECR enhanced scanning with Amazon Inspector works.

When you see "Active" status with empty scan results, this indicates that the image is eligible for scanning, but the actual scan may not have completed yet or there might be an issue with the scanning process.

There are a few important points to consider:

1. Manual scans are not supported with enhanced scanning. As you noted, it's impossible to manually trigger a re-scan when enhanced scanning is enabled.

2. When enhanced scanning is turned on, only repositories matching the scan filters are scanned. Even though you've configured "Continuously scan all repositories," there might be some filtering happening behind the scenes.

3. Amazon Inspector emits events to EventBridge when an initial scan is completed and when findings are created, updated, or closed. You could check EventBridge for any relevant events related to these images.

4. For continuous scanning, Amazon Inspector initiates new vulnerability scans when a new image is pushed or when a new CVE is added to its database that is relevant to that image.

Since the images show "Active" status, they should be eligible for scanning. If they're not being scanned, you might want to try pushing these images again to your repository, as this can sometimes resolve scanning issues. This is especially true if these were older images that were pushed more than 30 days before you enabled enhanced scanning, as Amazon Inspector only recognizes images pushed to Amazon ECR in the last 30 days based on the image push timestamp.
Sources
Troubleshooting image scanning in Amazon ECR - Amazon ECR
Scan images for OS and programming language package vulnerabilities in Amazon ECR - Amazon ECR
Scanning Amazon Elastic Container Registry container images with Amazon Inspector - Amazon Inspector