AWS Inspector: Vulnerability Scanning and SBOM Generation

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

AWS Inspector v2 is a different product from its predecessor. The original Inspector required you to deploy agents and configure assessment targets. Inspector v2 is agentless for ECR scanning and uses the SSM agent (which you probably already have) for EC2. It continuously scans rather than running on a schedule, and it covers both OS packages and application language dependencies.

What It Scans

Inspector scans three resource types: EC2 instances, ECR container images, and Lambda functions. For EC2, it uses the SSM agent to inventory installed packages and compare them against CVE databases. For ECR, it analyzes image layers for known vulnerabilities. For Lambda, it checks function code package dependencies.

The scanner covers vulnerabilities in operating system packages (apt, yum, apk) and application dependencies across Java (Maven), Python (pip), Node.js (npm), Go (modules), and .NET (NuGet). This matters because most exploitable vulnerabilities in modern applications come from dependencies, not OS packages.

Continuous Scanning

Inspector scans automatically when new instances launch, new images are pushed to ECR, new CVEs are published, or packages are updated on existing instances. You do not need to schedule scans or trigger them manually. This means a new critical CVE published on Tuesday will generate findings for affected resources within hours, not at your next weekly scan.

SBOM Generation

Inspector can export a Software Bill of Materials (SBOM) for your scanned resources in CycloneDX or SPDX format. This is increasingly required by compliance frameworks and government contracts. Export SBOMs per resource or in aggregate across your account.

Use SBOMs proactively: when a new zero-day drops, search your SBOMs for the affected library to immediately identify exposed resources without waiting for Inspector to generate findings.

CI/CD Integration

Inspector offers a CI/CD plugin that scans container images during the build process before they reach ECR. This shifts vulnerability detection left — developers see findings in their pull requests rather than after deployment.

The plugin outputs findings as SARIF (Static Analysis Results Interchange Format), which integrates with GitHub Security, GitLab, and most CI systems. Set quality gates: fail the build for CRITICAL findings with available fixes, warn on HIGH findings, and track the rest.

Findings Management

Inspector findings include the CVE ID, severity, affected package, fixed version, and the specific resource. Use Security Hub integration to aggregate findings across accounts and regions.

Create suppression rules for accepted risks. If your team has evaluated a CVE and determined it is not exploitable in your environment (the vulnerable code path is not reachable), suppress the finding with a documented justification rather than letting it add noise.

Export findings to S3 for long-term tracking and trend analysis. Track metrics like mean time to remediate by severity, percentage of resources with critical findings, and vulnerability density per service.

Next Steps

• Check your vulnerability management skills with a skills assessment
• Explore related security tooling in the skills library
• Use the resume builder to highlight your cloud security and DevSecOps experience

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.