ECR images tags shouldn’t be mutable.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | ecr |
| Provider | AWS |
| Vulnerability Type | omission |
Description#
ECR image tags are set to mutable, allowing existing image tags to be overwritten. This permits unauthorized or accidental replacement of container images associated with a given tag.
Impact#
If exploited, attackers or insiders could replace trusted container images with malicious versions under the same tag, enabling code injection, supply chain attacks, or unauthorized access, which can compromise application integrity and security.
Resolution#
Only use immutable images in ECR