AWS ECR tokens expire every 12 hours causing scan failures
criticalconfigurationUpdated Sep 1, 2025(via Exa)
How to detect:
AWS ECR authentication tokens expire every 12 hours by design. When tokens expire, Snyk container scans fail with authentication errors, blocking CI/CD pipelines and deployments.
Recommended action:
Set up a cron job to refresh ECR tokens every 8 hours using `aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin [account-id].dkr.ecr.us-west-2.amazonaws.com`. Log results to /var/log/ecr-refresh.log to track failures. Set alerts 2 hours before token expiration.