Cyscale
Back to controls

Ensure ECR repositories use immutable tags and image scanning

Container images should be protected from tag overwrite and scanned for vulnerabilities.

Category

Controls

Medium

Applies to

AWS

Coverage

1 queries

Asset types

1 covered

Overview

Container images should be protected from tag overwrite and scanned for vulnerabilities.

What this control should detect

ECR repositories that do not enforce image tag immutability and scan-on-push.

Remediation guidance

AWS Remediation

Service-wide fix (recommended): set registry-wide scanning defaults first, then fix any repositories that still allow mutable tags or have repository-level scan-on-push disabled.

When to use service-wide remediation

Use the service-wide path when many repositories are affected. Registry-wide enhanced scanning with Amazon Inspector is the cleaner long-term model, while repository-level changes close the immediate gap that this control detects.

Service-wide AWS CLI

Enable enhanced registry scanning for all repositories:

aws ecr put-registry-scanning-configuration \
  --scan-type ENHANCED \
  --rules '[{"scanFrequency":"CONTINUOUS_SCAN","repositoryFilters":[{"filter":"*","filterType":"WILDCARD"}]}]'

Console

  1. Open Amazon ECR.
  2. Open the affected repository.
  3. Edit repository settings.
  4. Set Tag immutability to Immutable.
  5. Enable Scan on push if the repository is still using repository-level basic scanning.

AWS CLI

Set immutable tags:

aws ecr put-image-tag-mutability \
  --repository-name <repository-name> \
  --image-tag-mutability IMMUTABLE

Enable repository scan-on-push:

aws ecr put-image-scanning-configuration \
  --repository-name <repository-name> \
  --image-scanning-configuration scanOnPush=true

Validate the repository settings:

aws ecr describe-repositories \
  --repository-names <repository-name> \
  --query 'repositories[].{name:repositoryName,immutability:imageTagMutability,scanOnPush:imageScanningConfiguration.scanOnPush}'

Operational notes

  • Immutable tags prevent a later push from silently replacing a trusted image tag such as prod or release.
  • Enhanced scanning is generally better than relying only on per-repository basic scanning because it supports continuous vulnerability updates through Amazon Inspector.
  • If your delivery pipeline relies on reusing the same tag, change the pipeline to publish unique version tags before enforcing immutability.

References

  • https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html
  • https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
  • https://docs.aws.amazon.com/cli/latest/reference/ecr/put-registry-scanning-configuration.html

Query logic

These are the stored checks tied to this control.

ECR repositories without immutability and scan-on-push

Connectors

AWS

Covered asset types

ECRRepository

Expected check: eq []

{ ecrRepositories(where: { OR: [ { imageScanningConfigurationScanOnPush: false }, { imageTagMutability_NOT: "IMMUTABLE" } ] }) { ...AssetFragment } }
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon