Introduction
If you are seeing deprecation warnings in your CI/CD pipelines or IDE when configuring Amazon Elastic Container Registry (ECR), you are not alone.
AWS has officially deprecated repository-level image scanning configurations and the PutImageScanningConfiguration API ( https://aws.amazon.com/blogs/containers/container-scanning-updates-in-amazon-ecr-private-registries-using-amazon-inspector/). However, a major misconception has arisen: scan-on-push is not dead at all.
What changed is where you configure it. AWS transitioned from a fragmented, repository-by-repository toggle to a centralized, registry-wide configuration. Here is how to upgrade your ECR infrastructure to the new registry-level scanning standard using Terraform.
The problem with the old way is that you had to explicitly tell every single repository to scan images upon delivery. In Terraform, it looked like this:
DEPRECATED APPROACH
resource "aws_ecr_repository" "react-app" {
name = "microservice-20"
# This block is deprecated and will trigger warnings
image_scanning_configuration {
scan_on_push = true
}
}
If your organization has many microservices, let’s say 30 to 60, you have to copy-paste that image_scanning_configuration block 50 times. If a developer forgot to add it to a new repository, that container will go into production without being scanned for vulnerabilities.
The New Architecture: Centralized Registry Governance
AWS resolved this management headache by shifting the logic to the Private Registry level. Instead of configuring individual repositories, you now define global Scanning Filters. You write a single rule that says: “Automatically enable scan-on-push for every repository in this registry.” This ensures complete security coverage: any new repository created in the future inherits this rule automatically.
How to Fix It with Terraform
To adopt the new standard, you must delete the deprecated scanning blocks from your individual repository resources and deploy the aws_ecr_registry_scanning_configuration resource.
Step 1: Clean Up Your Repositories
Remove the image_scanning_configuration block entirely from your aws_ecr_repository resources:
CLEAN MODERN REPOSITORY
resource "aws_ecr_repository" "my_app" {
name = "my-microservice"
image_tag_mutability = "MUTABLE"
# The scanning configuration is gone from here!
}
Step 2: Create the Global Registry Rule
Add the single global resource to your codebase. This configuration implements the free Basic scanning tier and applies a wildcard (*) filter to automatically scan every single repository on push.
NEW REGISTRY-LEVEL SCANNING
resource "aws_ecr_registry_scanning_configuration" "global_scanning" {
scan_type = "BASIC"
rule {
scan_frequency = "SCAN_ON_PUSH"
repository_filter {
filter = "*"
filter_type = "WILDCARD"
}
}
}
Note: If your team or organisation requires continuous scanning and programming language package vulnerability checks (npm, pip, bundler), you can change scan_type to ENHANCED, which integrates with Amazon Inspector, but note that this isn’t free, I mean, using the ENHANCED scanning.
Summary
By migrating your configuration to the registry level, you eliminate repetitive code, remove noisy deprecation warnings from your Terraform plans, and guarantee that no container image bypasses your security checks. In my upcoming articles, I will be writing about configuring the manual and scan-on-push with Terraform, AWS CLI, and through the console
Thank you for reading all through. I know this is not as long as other articles, but this is just like a preamble to the coming articles on ECR Image Scanning. It was nice writing here again. See you later. Cheers!!!!