ECR Enhanced Scanning false positives

You're correct in identifying that the ECR Enhanced Scanning is reporting false positives based on transitive dependencies rather than the actually installed packages. This issue has been observed by other users as well, particularly since mid-February 2025.

The behavior you're seeing is likely due to a recent change in the ECR Enhanced Scanning/Inspector service. The scanner appears to be overly sensitive in its interpretation of dependencies, flagging vulnerabilities based on references in files like pom.xml, even when those dependencies are not actually present in the final container image.

Unfortunately, there isn't a straightforward way to prevent these false positives at the moment, as this seems to be an unintended consequence of improvements to the scanning engine's depth and breadth. However, here are a few steps you can consider:

1. Manually review and filter out the false positives based on your knowledge of the actual contents of your container images.

2. If possible, consider updating the pom.xml files in your dependencies to reference the latest versions of transitive dependencies. While this won't solve the underlying issue with the scanner, it might reduce the number of false positives.

3. Use suppression rules for known false positives. While not ideal, this can help manage the noise in your vulnerability reports.

4. Reach out to AWS Support to report this behavior. They can investigate whether this is a known issue and potentially provide guidance on how to interpret these findings or suggest workarounds.

It's worth noting that while these particular findings may be false positives, it's always good practice to ensure that the runtime environments where you deploy your containers are kept up-to-date and free of vulnerabilities.

AWS is likely aware of this issue, and there may be improvements or fixes in the pipeline. In the meantime, you'll need to be diligent in manually verifying the reported vulnerabilities against your actual container contents.
Sources
Inspector: false positives in ECR from pom.xml files | AWS re:Post

Hey There!

There couldn't a mistake in scanning, because vulnerability also depend upon the base image/packages you might be using in each line of your Dockerfile. I would suggest to use Docker Scout as well once from the "Docker Desktop" to filter out line by line, where the vulnerability might be there and visit respective Docker Hub Link of that image.

I had such issues with lot of other customers as well, thereby I use above method to filter the instances and isolate the issue completely.

For example for Python base image, they do reflect their vulnerability of each release tag, so you can also check for your base image/Dockerfile in Local Docker Scout Feature of Desktop Software to isolate, once done > ECR Scanning won't throw any vulnerability.

👁 Enter image description here

This pretty much renders the enhanced scanning useless... If I tell it to ignore warnings about a particular package, but then I have an ACTUAL vulnerability that's been missed, that's not good.

I'm having this problem with ruby gems, so it's a real fundamental flaw to be looking at specs that have MINIMUM requirements for other dependencies and calling that a security violation when, in truth, you've updated to the latest version of the target package. This is a pretty inexcuable mistake in understanding how package managers work.