Administrators may notice their servers (EC2) or containers (ECR) from AWS are reporting "No vulnerability data received" under the Vulnerability status column on the Vulnerabilities page.
Root Cause
This is occurring because the AWS Integration has the AWS Inspector / Basic Scanning enabled feature enabled:
However Vanta is not detecting scan findings for the servers and/or containers that are in scope from AWS. When this feature is toggled on, Vanta expects either AWS Inspector to be enabled and performing vulnerability scanning for your servers and optionally your containers:
If you do not use Inspector for your containers, then Vanta checks for ECR scans, specifically, basic default scanning is enabled and has scan findings for the latest image:
Vanta does not support the new improved basic scanning at the moment.
Troubleshooting Steps for Containers
Inspector (ECR)
- Confirm that the status of the containers in AWS Inspector is Activated (Continuous)
- Confirm the containers have findings
If both these requirements are met but Vanta is reporting No vulnerability data received, please submit a ticket with support@vanta.com including screenshots of the status and scan findings similar to the screenshots above.
ECR Basic Scanning
- Confirm you have basic scanning enabled and that the scanning version is 'Default'; Vanta does not support the new improved basic scanning at the moment:
- Please confirm that the repo is eligible for scanning in AWS.
The container may show that there are vulnerabilities but if the status column shows that the "Scan eligibility has expired" or the last scan was completed more than 30 days ago, the vulnerabilities will not be fetched into Vanta:
- If you use tags on your images:
Please confirm on the Vulnerabilities page that you configured Vanta to look for that tag.
You can click on the repo, and then select configure image scan:
And ensure the same tag is defined:
If you do not configure Vanta to check for the custom tag, the vulnerabilities will never be fetched. If you do not use tags, please ensure there is not a custom tag value set.
If you verified all of the settings are configured correctly yet Vanta reports no vulnerability data received, please submit a ticket with support@vanta.com including screenshots of the settings mentioned above.
Troubleshooting Steps for Servers (EC2)
Please go through the steps in this article, Troubleshooting Missing EC2 Instance Inspector Scans, and confirm the servers are in an 'Actively Monitoring' state:
And have scan findings:
If these requirements are met, please submit a ticket to support@vanta.com for more troubleshooting.