Introduction
Back in early 2024, I wrote about My Perspective on the Latest Improvements in Amazon Inspector from re:Invent 2023. At that time, AWS focused more on Lambda code scanning and agentless EC2 scanning.
Fast forward to 2025, and Amazon Inspector has evolved significantly. As a DevSecOps practitioner, I put my eyes on all the new features that they bring.
So what's changed in the past two years?
In this article, I want to share what's new in Amazon Inspector for 2025 and how these updates benefit us as DevSecOps Engineers.
What's New in Amazon Inspector 2025?
Let me walk you through the key updates since my last article.
Enhanced Container Scanning Engine (February 2025)
AWS upgraded the engine that powers container image scanning for Amazon ECR. This update provides better dependency detection, more comprehensive vulnerability findings, and automatic re-evaluation of existing resources.
In my 2023 article, I talked about ECR scanning capabilities. The 2025 engine upgrade makes those scans more accurate and thorough. The best part? This upgrade happened automatically. You don't need to do anything.
Code Security (GA - June 2025)
This is the biggest update in my opinion. In my 2023 article, I talked about how Inspector could scan Lambda functions and container images. Now, it can scan your source code directly — before you even build anything.
Why is this important?
From my experience, finding a vulnerability in code costs 10x less than finding it in production. The earlier you catch the issue, the cheaper it is to fix.
Code Security includes SAST for scanning your source code, SCA for scanning third-party dependencies, and IaC scanning for your Terraform and CloudFormation templates. It also has native GitHub and GitLab integration — findings appear directly in your Pull Requests.
Organization-wide Management (November 2025)
If you've ever tried to enable Amazon Inspector across multiple AWS accounts, you know the pain. In my previous article, I mentioned how Inspector integrates with AWS Organizations. But back then, you still had to configure each account.
Not anymore. AWS introduced Organization-wide Management using AWS Organizations policies. Now, one policy covers all accounts, new accounts get auto-enrollment, and you have a consistent baseline across your organization.
As a DevSecOps Engineer, this saves me hours of setup and ensures no account is left unprotected.
Security Hub Integration (re:Invent 2025 - December)
Amazon Inspector findings now integrate seamlessly with AWS Security Hub. Security Hub correlates signals from Inspector, GuardDuty, and Macie to provide near real-time risk analytics.
I'll cover Security Hub in detail in my next article — it deserves its own deep dive.
What Are the Benefits as DevSecOps Engineer?
With this improvement, as a DevSecOps Engineer, I think it's covering the main areas in DevSecOps now.
As DevSecOps, we also focus on security. And I always felt the gap where when we're doing implementation in AWS, we always need to look at third-party tools for covering SAST, SCA, even parts like IaC scanning and container scanning. We had to set up separate tools like Snyk, Checkov, or Trivy, and then figure out how to integrate them with our AWS environment.
But with this improvement, Inspector now covers all these parts. SAST for scanning source code, SCA for scanning dependencies, IaC scanning for Terraform and CloudFormation, and container scanning for ECR images.
The only thing missing is DAST (Dynamic Application Security Testing) — we still need to look elsewhere for that. For DAST, I find Prowler is an interesting tool which you can read in my article Practical Way for Security Assessment in AWS with Prowler.
So now we can have a complete DevSecOps chain that covers all my application supply chain — from code to runtime.
What about if you're already using AWS?
This is where Inspector really shines. If you're already on AWS, the integration is seamless. ECR automatically scans on image push. CodePipeline and CodeBuild have native integration. EventBridge can trigger automated workflows. Organizations let you manage multiple accounts with a single policy. And CloudTrail provides audit logging for compliance.
You don't need to set up separate tools and figure out how to connect them. It's already integrated with your AWS environment.
And speaking of compliance — in my article about NIST Guidelines, I discussed how organizations need to follow security frameworks. This is the best part — Inspector also directly supports generating SBOM in CycloneDX and SPDX formats. This part, we can combine with CloudTrail for audit trails.
With CycloneDX and SPDX formats, you can also integrate with other tools that support the format as well, like GitLab. So you're not locked into AWS — you have flexibility to use SBOM data across your toolchain.
Conclusion
Since I wrote my 2023 article, a lot has improved in Amazon Inspector. The 2025 updates — especially Code Security and Organization-wide Management — have transformed Inspector from a vulnerability scanner into a comprehensive DevSecOps platform.
From my perspective as a DevSecOps Engineer, Inspector now covers most of what I need. And if you're already using AWS, the integration is seamless.
In my next article, I'll dive into AWS Security Hub and how it brings all your security findings together into a single view. Stay tuned!
I think that's it for now for this article. Leave a comment below. So, I know about your thoughts! Thanks.
Top comments (0)