Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

github.com/swoldemi/amazon-ecr-image-immutability-check

Package Overview
Dependencies
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/swoldemi/amazon-ecr-image-immutability-check

Source
Go
Version
v0.0.0-20200316194450-008e169fa768
Version published
Created
Source

Amazon ECR Image Immutability Check

Enforce image tag immutability on all Elastic Container Registry repositories within an AWS account

The problem: As of March 2020, AWS Config does not support any custom or native integrations with ECR: https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html

The solution: Run a Serverless Application Repository app to automatically remediate and report on incompliant ECR repositories for you!

architecture

Usage

Prerequisites:

  • An AWS account in a region which supports ECR.
  • ECR repositories within your registry.

Deploying the Lambda

It is recommended that you deploy this Lambda function directly from the AWS Serverless Application Repository. It is also possible to deploy this function using:

This function has been made available in all 18 commercial AWS regions that support AWS SAR. It is also possible to deploy the Lambda function in the GovCloud and China regions, if you have access to those regions.

RegionClick and Deploy
US East (Ohio) (us-east-2)
US East (N. Virginia) (us-east-1)
US West (N. California) (us-west-1)
US West (Oregon) (us-west-2)
Asia Pacific (Hong Kong) (ap-east-1)
Asia Pacific (Mumbai) (ap-south-1)
Asia Pacific (Seoul) (ap-northeast-2)
Asia Pacific (Singapore) (ap-southeast-1)
Asia Pacific (Sydney) (ap-southeast-2)
Asia Pacific (Tokyo) (ap-northeast-1)
Canada (Central) (ca-central-1)
EU (Frankfurt) (eu-central-1)
EU (Ireland) (eu-west-1)
EU (London) (eu-west-2)
EU (Paris) (eu-west-3)
EU (Stockholm) (eu-north-1)
Middle East (Bahrain) (me-south-1)
South America (Sao Paulo) (sa-east-1)

Configuration

  • Interval (required) - How often should the function run? Requires a valid Schedule Expression: https://docs.aws.amazon.com/lambda/latest/dg/tutorial-scheduled-events-schedule-expressions.html. Default is once a day (rate(24 hours)).
  • SNSTopicARN (optional) - The ARN of the Simple Notification Service topic to send incompliant finding messages to. No default.
  • AutoRemediate (optional) - Should this function automatically enable image tag immutability (ENABLED or DISABLED)? ENABLED by default.

If you would like to retrive notifications of repositories that have image immutability disabled create and subscribe to an SNS topic then pass the ARN of the topic in the SNSTopicARN parameter.

Example message contents (Email subscription):

The amazon-ecr-image-immutability-check Lambda function you deployed found some incompliant ECR repositories:
1. Repository: product-a/service-one
2. Repository: product-a/service-two
3. Repository: custom-internal-nginx
If auto-remediation is enabled, then these repositories will have Image Tag Immutability enabled and are now compliant until changed.
AWS Region: us-east-2
ECR Registry ID: 123456789012
Auto-Remediation: ENABLED
--
If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe:
https://sns.us-east-2.amazonaws.com/unsubscribe.html?SubscriptionArn=arn:aws:sns:us-east-2:123456789012:your-topic-name:random-topic-id&Endpoint=example@example.com

Please do not reply directly to this email. If you have any questions or comments regarding this email, please contact us at https://aws.amazon.com/support

Test that it works

After your specified interval and interval unit (example: rate(5 minutes)), a CloudWatch event will trigger the Lambda function and scan your account for repositories that do not have image tag immutability enabled. If any are found, image tag immutability will be enabled.

Contributing

Have an idea for a feature to enhance this serverless application? Open an issue or pull request!

Development

This application has been developed, built, and testing against Go 1.13, Go 1.14, the latest version of the Serverless Application Model CLI, and the latest version of the AWS CLI. A Makefile has been provided for convenience.

make check
make test
make build
make sam-package
make sam-deploy
make sam-tail-logs
make destroy

To Do

  • Integrate AWS Config when support for ECR repositories arrives.

Note

It is also possible to prevent account users from changing the tag immutability setting by not granting them the ecr:PutImageTagMutability action.

License

MIT No Attribution (MIT-0)

FAQs

Package last updated on 16 Mar 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads

Research

/

Security News

9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads

Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control systems.

By Kush Pandya  -  Nov 06, 2025