ECR Image Tag Not Immutable

• Query id: d1846b12-20c5-4d45-8798-fc35b79268eb
• Query name: ECR Image Tag Not Immutable
• Platform: Terraform
• Severity: Medium
• Category: Insecure Configurations
• CWE: 710
• URL: Github

Description

ECR should have an image tag be immutable. This prevents image tags from being overwritten.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_ecr_repository" "foo2" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

resource "aws_ecr_repository" "foo3" {
  name                 = "bar"

  image_scanning_configuration {
    scan_on_push = true
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_ecr_repository" "foo" {
  name                 = "bar"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}