ecrspectre — Container registry waste auditor for ECR and Artifact Registry. Part of SpectreHub.
- Scans AWS ECR and GCP Artifact Registry for stale, untagged, and bloated images
- Checks pull timestamps, tag status, image size, and lifecycle policies
- Estimates monthly storage cost per finding
- Surfaces vulnerability scan data from ECR's built-in scanner
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a real-time monitor — point-in-time scanner
- Not a remediation tool — reports only, never deletes images
- Not a security scanner — surfaces existing ECR scan data
- Not a CI image builder — audits what exists
brew tap ppiankov/tap
brew install ecrspectregit clone https://github.com/ppiankov/ecrspectre.git
cd ecrspectre
make buildecrspectre scan --region us-east-1 --format json| Command | Description |
|---|---|
ecrspectre scan |
Scan container registries for stale and wasteful images |
ecrspectre init |
Generate IAM policy and config file |
ecrspectre version |
Print version |
ecrspectre feeds container registry waste findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool ecrspectreecrspectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your images.
MIT — see LICENSE.
Built by Obsta Labs