SYSTEM Cited by 1 source

Amazon Inspector

Amazon Inspector is AWS's managed vulnerability-scanning service for EC2 instances, container images (Amazon ECR), and Lambda functions — continuously scans against the AWS CVE feed and surfaces findings with severity scoring. Stub page — expand on future Inspector-internals sources.

The ECR-image-to-running-container mapping capability

The capability Generali calls out explicitly — introduced by the "enhances container security by mapping Amazon ECR images to running containers" feature referenced in the source — solves the core prioritisation problem of registry-wide scanning:

Before: Inspector finds vulnerabilities in every image in every ECR repository, regardless of whether the image is actually deployed anywhere. A 10K-CVE report with no deployment context is nearly impossible to prioritise against real risk.

After: each vulnerability finding is augmented with runtime context:

• Cluster ARNs where the image is deployed.
• Number of EKS pods currently running the image.
• Last in-use date for each vulnerability finding.

This pivots the remediation prioritisation axis from "most severe CVE" to "most severe CVE × biggest running-pod footprint × most recently used" — the actual risk signal. Vulnerabilities in images sitting idle in ECR drop in priority; vulnerabilities in the fleet-wide production base image climb.

This is the canonical runtime-vulnerability-prioritisation primitive on AWS.

Seen in

• sources/2026-03-23-aws-generali-malaysia-eks-auto-mode — Generali uses Inspector for container image scanning with the ECR-to-running-containers mapping, "to prioritize vulnerabilities based on containers currently running in their environment rather than just identifying vulnerabilities in repository images."

Related

• systems/aws-eks
• systems/amazon-guardduty — detection complement (attacks- happening axis vs Inspector's vulnerabilities-present axis).
• patterns/runtime-vulnerability-prioritization