You can scan Amazon ECR using our Docker integration. The recommended setup is to run the Enterprise scanner on an AWS host with an attached IAM role for ECR access. Keeping docker login and the scan on the same host is the simplest, most reliable configuration.

Every image URI must be explicitly listed.

Tokens expire approximately every 12 hours. 

 for docker login for recurring scans to refresh the authentication token. 

1. Create the scanner  in the dashboard and download the config.yml to your host. 

2. Create an AWS IAM User Group with the pre-defined policy

3. Add a user to the AWS IAM User Group. 

4. Authenticate to ECR. AWS ECR's docker login always uses the literal username AWS, which is used below. Confirm you have the correct docker container repo address (e.g. 123456789012.dkr.ecr.us-east-1.amazonaws.com/your-repo)

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com/your-repo

: This stores the credential in ~/.docker/config.json of the user who ran it (e.g. /root/.docker/config.json or /home/ec2-user/.docker/config.json), base64-encoded.

sources:
  - connection:
      "@type": type.googleapis.com/sources.Docker
      dockerKeychain: true
      images:
        - 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
    name: docker
    scanPeriod: 12
    type: SOURCE_TYPE_DOCKER
    verify: true


No username/password in the YAML. dockerKeychain: true reads the credential from step 3. The full registry hostname in each image URI tells the scanner which ECR registry to pull from.


./scanner validate --config=config.yaml --debug

Self-hosted scanner only: ECR scanning cannot be performed on the hosted scanner.

Run as the same user: The scanner must be run by the same user that executed docker login because it reads the keychain from that specific user's home directory.

No auto-enumeration: Every image URI must be explicitly listed.

Only linux/amd64 images are scanned: Images for arm64 or multi-arch architectures are skipped.

ECR token expiration: Tokens expire approximately every 12 hours; docker login should be scheduled via cron for recurring scans.

Full egress recommended: Partial allowlists can degrade results as the scanner verifies secrets against over 800 endpoints.

Amazon ECR

Docker

source

Filesystem

TruffleHog Docs

Choose your adventure

Configuring a scanner

Hosted Scanner deployment

Creating a scanner

Configuring a self-hosted scanner

Self-Hosted Deployment Guide

Linux Host

Helm Chart

Kubernetes Manifest

Resource requirements

Configuration file reference

Credential management

Running the scanner

Self-Hosted Scanner deployment

Getting started

Artifactory

AWS S3

Azure Repos (cloud)

Bitbucket

Buildkite

CircleCI

Confluence

Gerrit

GitLab

GitHub Real-time

GitHub

Google Cloud Storage (GCS)

Google Drive Domain-Wide Delegation (DWD)

Google Drive

Jenkins

Jira

Microsoft Sharepoint

Microsoft Teams

Postman

Slack

Vector

Reverify secrets

Verification caching

Scan for secrets

Self-discovery analyzers

GCP analyze

Analyze secrets

Email

Multi-project ticket synchronization

Splunk

Stdout

Webhook

Notify results

Shared Secrets

Scanning in CI

Pre-commit hooks

Pre-receive hooks

Block secrets from leaking

Custom detectors

Customizing detection

On-premise verification

Customizing detectors

Customizing TruffleHog

User Enablement Guide

Exported Secrets Column Definitions

Resource Hub

Architecture

Dynamic Role-Based Access Control (RBAC)

Authentication

Compliance

Data flow

How we handle your data

Security and Compliance

Secret Management Best Practices

Terminology

2026 May

2026 April

2026 March

2026 January

2025 December

2025 November

2025 October

2025 September

2025 August

2025 July

2025 June

2025 May

TruffleHog Release Notes