ECR initial scan (on push): $0.09 / image
ECR continuous rescan: $0.01 / image / rescan event
CI/CD on-demand scan: $0.03 / image
Each build pushes 1 new image digest to ECR.
On-push: scanned once per push. No rescans.
Lifecycle mode: retained images = all digests pushed within the retention window. Live containers (latest per service) are always kept.
Baseline mode: a fixed number of images in the registry, floored by the live service count.
Continuous: rescans all retained images per vuln DB update.
CI/CD pipeline: adds a per-build scan in CI/CD tooling.

Total container images (services):

Pipeline runs (builds) per day:

Each build rebuilds & pushes exactly 1 container image.

Working days per month:

ECR image retention:

Lifecycle policy

Fixed image count

Retention (days):

All image digests pushed within this window are retained. Live containers (latest per service) are always kept.

Total images in registry:

Fixed number of images in ECR subject to continuous rescanning. Floored by the live service count.

Vuln DB rescans per month:

AWS examples cite ~15/month. All retained ECR images are rescanned each time.

On-push scanning is always included as the base cost.

Add continuous scanning

Add CI/CD pipeline scanning

AWS Inspector Container Scanning Cost Model