fivexl
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 12 additions & 12 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 11 additions & 24 deletions b/‎.github/workflows/codeql-analysis.yml‎
Lines changed: 11 additions & 24 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 30 additions & 29 deletions b/‎README.md‎
Lines changed: 30 additions & 29 deletions
diff --git a/‎docker.go‎
Lines changed: 5 additions & 3 deletions b/‎docker.go‎
Lines changed: 5 additions & 3 deletions
@@ -3,9 +3,9 @@ name: CI
 on:
   push:
     tags: [ v* ]
-    branches: [ master ]
+    branches: [ master, main ]
   pull_request:
-    branches: [ master ]
+    branches: [ master, main ]
 
 jobs:
 
@@ -14,37 +14,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v3
+    - name: Set up Go
+      uses: actions/setup-go@v5
       with:
-        go-version: ^1.13
+        go-version: '1.24'
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v3.2.0
+      uses: golangci/golangci-lint-action@v6
       with:
-        version: v1.48
+        version: latest
 
     - name: Prepare a snapshot release
       if: "!startsWith(github.ref, 'refs/tags/v')"
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v6
       with:
         version: latest
-        args: release --rm-dist --snapshot
+        args: release --clean --snapshot
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Release a new version
       if: startsWith(github.ref, 'refs/tags/v')
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v6
       with:
         version: latest
-        args: release --rm-dist
+        args: release --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 
@@ -13,10 +13,9 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
+    branches: [ master, main ]
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ master, main ]
   schedule:
     - cron: '26 4 * * 4'
 
@@ -33,38 +32,26 @@ jobs:
       fail-fast: false
       matrix:
         language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.24'
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
+      uses: github/codeql-action/autobuild@v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
@@ -1,3 +1,17 @@
+### v0.7.0
+
+* Switch to AWS native basic scanning (Clair was deprecated on Feb 2, 2026)
+* Add retry logic for scan initiation delay with AWS native scanning (handles ScanNotFoundException)
+* Add pagination for DescribeImageScanFindings to collect all findings across multiple pages
+* Upgrade AWS SDK Go v2 (v1.16.7 -> v1.41.1, ECR service v1.17.8 -> v1.55.1)
+* Upgrade Go from 1.14 to 1.24
+* Upgrade Docker client library (v20.10.17 -> v28.5.2)
+* Upgrade distribution/reference, urfave/cli (v2.10.3 -> v2.27.7), tablewriter (v0.0.5 -> v1.1.3)
+* Update CI: GitHub Actions (checkout v4, setup-go v5, goreleaser v6, golangci-lint v6, codeql v3)
+* Update golangci-lint (v1.46.2 -> v2.9.0) and fix errcheck findings
+* Update test suite to use python:3.13 (Debian-based) instead of old Alpine for CVE tests
+* Replace deprecated resin/scratch with locally built scratch image in tests
+
 ### v0.6.0
 
 **IMPORTANT: This release includes breaking changes!** Please check the migration guide: [MIGRATION-v0.6.md](./MIGRATION-v0.6.md)
 
@@ -2,7 +2,9 @@
 
 # aws-ecr-client
 
-AWS ECR client for automated push to ECR and handling of vulnerability scanning results
+AWS ECR client for automated push to ECR and handling of vulnerability scanning results.
+
+Supports **AWS native basic scanning** (the default since Feb 2, 2026, replacing the deprecated Clair-based scanning).
 
 Features:
 * Automatically gets authorization token for ECR repo
@@ -11,6 +13,8 @@ Features:
 * Can ignore all CVE's of certain severity level (not recommended but useful when you have to deal with docker image over which you have no control)
 * Can ignore individual CVE's (not recommended but useful when you might really really need to unblock that pipeline)
 * Can output CVE scan report in Junit format so you can feed to to Jenkins or some other system for visibility
+* Handles scan initiation delays with AWS native scanning (automatic retries)
+* Paginates through all scan findings for complete results
 
 See examples below for more details
 
@@ -19,7 +23,7 @@ See examples below for more details
 ```
 NAME:
    aws-ecr-client-golang - AWS ECR client to automated push to ECR and handling of vulnerability.
-                           Version v0.6.0
+                           Version v0.7.0
 
 USAGE:
    aws-ecr-client-golang [global options] command [command options] [arguments...]
@@ -49,19 +53,19 @@ Download official builds from [here](https://releases.fivexl.io/aws-ecr-client-g
 ### Push of the real tag is stopped because of CVE
 
 ```
-$ aws-ecr-client-golang --images XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:3.12.12
-aws-ecr-client, version v0.6.0
+$ aws-ecr-client-golang --images XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
+aws-ecr-client, version v0.7.0
 Note: Stage repo is not specified - will use the the repo of the first given image as a scanning silo
-Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662393883
-Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662393883
+Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:ecs-client-scan-1770898008
+Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:ecs-client-scan-1770898008
 
 Image scan status: COMPLETE
 
 Found the following CVEs
 +----------------+-----------+----------+-------------+---------------------------------------------------------------+
 |      CVE       | SEVERITY  | IGNORED? | DESCRIPTION |                              URI                              |
 +----------------+-----------+----------+-------------+---------------------------------------------------------------+
-| CVE-2022-37434 | UNDEFINED | No       |             | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 |
+| CVE-2024-58015 | HIGH      | No       |             | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58015 |
 +----------------+-----------+----------+-------------+---------------------------------------------------------------+
 
 Ignored CVE severity levels:
@@ -74,27 +78,26 @@ Error: there are CVEs found! Please, fix them first. Will not proceed with pushi
 ### Push of the real tag with ignored CVE
 
 ```
-$ AWS_ECR_CLIENT_IGNORE_CVE=CVE-2022-37434 aws-ecr-client-golang --images XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:3.12.12
-aws-ecr-client, version v0.6.0
+$ AWS_ECR_CLIENT_IGNORE_CVE=CVE-2024-58015 aws-ecr-client-golang --images XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
+aws-ecr-client, version v0.7.0
 Note: Stage repo is not specified - will use the the repo of the first given image as a scanning silo
-Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662393948
-Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662393948
+Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:ecs-client-scan-1770898062
+Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:ecs-client-scan-1770898062
 
 Image scan status: COMPLETE
 
 Found the following CVEs
 +----------------+-----------+------------------------------+-------------+---------------------------------------------------------------+
 |      CVE       | SEVERITY  |           IGNORED?           | DESCRIPTION |                              URI                              |
 +----------------+-----------+------------------------------+-------------+---------------------------------------------------------------+
-| CVE-2022-37434 | UNDEFINED | Yes (Ignored individual CVE) |             | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 |
+| CVE-2024-58015 | HIGH      | Yes (Ignored individual CVE) |             | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58015 |
 +----------------+-----------+------------------------------+-------------+---------------------------------------------------------------+
 
 Ignored CVE severity levels:
-Ignored CVE's:               CVE-2022-37434
+Ignored CVE's:               CVE-2024-58015
 
 Final scan result: Passed
-Pushing: XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:3.12.12
-Done
+Pushing: XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/myimage:latest
 ```
 
 ### GitLab Workflow Example
@@ -108,8 +111,8 @@ Done
     APP: dts_all_batch
     PATH_DOCKERFILE: /
     DOCKER_TLS_CERTDIR: ""
-    ECR_CLIENT_VERSION: 0.6.0
-    AWS_ECR_CLIENT_IGNORE_CVE: CVE-2022-37434 
+    ECR_CLIENT_VERSION: 0.7.0
+    AWS_ECR_CLIENT_IGNORE_CVE: CVE-2024-58015 
     AWS_ECR_CLIENT_IGNORE_CVE_LEVEL: LOW INFORMATIONAL UNDEFINED
   services:
     - docker:dind
@@ -138,7 +141,7 @@ Done
 <testsuites>
 	<testsuite tests="6" failures="1" time="6.000" name="Container Image CVE scan">
 		<properties>
-			<property name="go.version" value="go1.14.4"></property>
+			<property name="go.version" value="go1.24.0"></property>
 			<property name="coverage.statements.pct" value="100"></property>
 		</properties>
 		<testcase classname="Container Image CVE scan" name="CRITICAL" time="1.000"></testcase>
@@ -159,20 +162,18 @@ The client handles unsupported images error (for example scratch) as another fin
 ignoring `ECR_ERROR_UNSUPPORTED_IMAGE`
 
 ```
-aws-ecr-client, version v0.6.0
+aws-ecr-client, version v0.7.0
 Note: Stage repo is not specified - will use the the repo of the first given image as a scanning silo
-Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662392380
-Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1662392380
+Push image to the scanning repo as XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1770897999
+Checking scan result for the image XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/alpine:ecs-client-scan-1770897999
 
 Found the following CVEs
-+-----------------------------+---------------+------------------------------+--------------------------------+-----+
-|             CVE             |   SEVERITY    |           IGNORED?           |          DESCRIPTION           | URI |
-+-----------------------------+---------------+------------------------------+--------------------------------+-----+
-| ECR_ERROR_UNSUPPORTED_IMAGE | INFORMATIONAL | Yes (Ignored individual CVE) | UnsupportedImageError: The     |     |
-|                             |               |                              | operating system and/or        |     |
-|                             |               |                              | package manager are not        |     |
-|                             |               |                              | supported.                     |     |
-+-----------------------------+---------------+------------------------------+--------------------------------+-----+
++-----------------------------+---------------+------------------------------+-----------------------------------------------------------+-----+
+|             CVE             |   SEVERITY    |           IGNORED?           |                        DESCRIPTION                        | URI |
++-----------------------------+---------------+------------------------------+-----------------------------------------------------------+-----+
+| ECR_ERROR_UNSUPPORTED_IMAGE | INFORMATIONAL | Yes (Ignored individual CVE) | UnsupportedImageError: The operating system and/or        |     |
+|                             |               |                              | package manager are not supported.                        |     |
++-----------------------------+---------------+------------------------------+-----------------------------------------------------------+-----+
 
 Ignored CVE severity levels:
 Ignored CVE's:               ECR_ERROR_UNSUPPORTED_IMAGE
 
@@ -26,6 +26,8 @@ import (
 	"io"
 
 	dockerTypes "github.com/docker/docker/api/types"
+	dockerImageTypes "github.com/docker/docker/api/types/image"
+	dockerRegistry "github.com/docker/docker/api/types/registry"
 	dockerClient "github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/jsonmessage"
 )
@@ -39,17 +41,17 @@ func getDockerClient() (*dockerClient.Client, error) {
 	return dockerClient.NewClientWithOpts(dockerClient.FromEnv, dockerClient.WithAPIVersionNegotiation())
 }
 
-func imagePush(client *dockerClient.Client, authConfig dockerTypes.AuthConfig, imageRef string) (ImageId, error) {
+func imagePush(client *dockerClient.Client, authConfig dockerRegistry.AuthConfig, imageRef string) (ImageId, error) {
 
 	authConfigBytes, _ := json.Marshal(authConfig)
 	authConfigEncoded := base64.URLEncoding.EncodeToString(authConfigBytes)
 
-	opts := dockerTypes.ImagePushOptions{RegistryAuth: authConfigEncoded}
+	opts := dockerImageTypes.PushOptions{RegistryAuth: authConfigEncoded}
 	rd, err := client.ImagePush(context.Background(), imageRef, opts)
 	if err != nil {
 		return ImageId{}, err
 	}
-	defer rd.Close()
+	defer func() { _ = rd.Close() }()
 
 	buf := new(bytes.Buffer)
 	_, err = buf.ReadFrom(rd)