try to fix error

terraform · Jan 9, 2026 · 47a6b90 · 47a6b90
1 parent b0a9760
commit 47a6b90
Showing 1 changed file with 23 additions and 10 deletions.
diff --git a/local-app/python-tools/cross-organization/check_ecr.py b/local-app/python-tools/cross-organization/check_ecr.py
@@ -4,37 +4,50 @@
 from datetime import datetime
 
 # --- VERSIONING ---
-__version__ = "1.2.0"
+__version__ = "1.2.2"
 
 def get_repo_images(ecr_client, repo_name):
-    """Fetches images and their scan results."""
+    """Fetches images with flattened lists and dedicated scan finding lookups."""
     images = []
     repo_total_size = 0
     try:
-        # describe_images provides the findingSeverityCounts summary directly
         paginator = ecr_client.get_paginator('describe_images')
         for page in paginator.paginate(repositoryName=repo_name):
-            for img in page['imageDetails']:
+            # FIX: Use extend() to flatten the list of dictionaries
+            # This prevents the [[img, img], total] nesting error
+            img_details = page['imageDetails']
+
+            for img in img_details:
                 size = img.get('imageSizeInBytes', 0)
                 repo_total_size += size
+                digest = img.get('imageDigest')
 
-                # Extract scan summary if available
-                scan_summary = img.get('imageScanFindingsSummary', {})
-                severity_counts = scan_summary.get('findingSeverityCounts', {})
+                # RESTORED/FIXED: Reliable Scan Finding Lookup
+                # describe_images summary is often empty for modern ECR scans.
+                severity_counts = img.get('imageScanFindingsSummary', {}).get('findingSeverityCounts', {})
 
+                if not severity_counts and img.get('imageScanStatus', {}).get('status') == 'COMPLETE':
+                    try:
+                        # Fallback: Query the dedicated findings API for accurate counts
+                        findings = ecr_client.describe_image_scan_findings(
+                            repositoryName=repo_name,
+                            imageId={'imageDigest': digest}
+                        )
+                        severity_counts = findings.get('imageScanFindings', {}).get('findingSeverityCounts', {})
+                    except: pass
+
                 images.append({
                     "image_tags": img.get('imageTags', []),
-                    "image_digest": img.get('imageDigest'),
+                    "image_digest": digest,
                     "pushed_at": img['imagePushedAt'].isoformat() if 'imagePushedAt' in img else "N/A",
                     "last_pulled_at": img['lastRecordedPullTime'].isoformat() if 'lastRecordedPullTime' in img else "N/A",
                     "scan_status": img.get('imageScanStatus', {}).get('status', 'NO_SCAN'),
-                    "severity_counts": severity_counts, # Restored: CVE Severity Counts
+                    "severity_counts": severity_counts,
                     "size_bytes": size
                 })
     except: pass
     return images, repo_total_size
 
-
 def get_lifecycle_policy(ecr_client, repo_name):
     """Checks for lifecycle policy and counts rules."""
     try: