To start scanning container images with DTA or with VS services you first need to connect an image registry to scan images from.

Note: Currently, Aqua VS scans container images only in AWS Elastic Container Registry (ECR) registries. More registries will be supported soon.

Connect an AWS ECR registry

  1. Go to the “Aqua DTA > Registries” or “Aqua VS > Registries” screen.
  2. Click on “Connect a Registry”.
  3. Use our CloudFormation stack to create cross account access from your AWS account to the desired service.
  4. Once the CloudFormation stack is done, go to the output screen in AWS and copy output string that represent your Registries ARN and paste it in the “Connect a Registry” screen.
  5. Once you set up a registry it will appear in the Registries screen after several minutes. Images that are in the scope of the ARN will be scanned and appear in the Images screen.
  6. The service will automatically re-scan the registry for new images. In addition, previously scanned images in Aqua VS service will be re-scanned to ensure you have the latest results.


  • Image scanning takes place in the background. Its duration may vary depending on factors such as image size, number of resources, AWS region network, and others. When scanning a registry, it is recommended that you wait 24 hours before reviewing the results.
  • During the early preview of the Secure the Build services, only part of the images will be scanned from your account registries