terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags
semgrep
Author
unknown
Download Count*
License
The ECR repository allows tag mutability. Image tags could be overwritten with compromised images. ECR images should be set to IMMUTABLE to prevent code injection through image mutation. This can be done by setting image_tag_mutability
to IMMUTABLE.
Run Locally
Run in CI
Defintion
rules:
- id: aws-ecr-mutable-image-tags
patterns:
- pattern: |
resource "aws_ecr_repository" $ANYTHING {
...
}
- pattern-not-inside: |
resource "aws_ecr_repository" $ANYTHING {
...
image_tag_mutability = "IMMUTABLE"
...
}
message: The ECR repository allows tag mutability. Image tags could be
overwritten with compromised images. ECR images should be set to IMMUTABLE
to prevent code injection through image mutation. This can be done by
setting `image_tag_mutability` to IMMUTABLE.
languages:
- hcl
severity: WARNING
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-345: Insufficient Verification of Data Authenticity"
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_tag_mutability
- https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
Examples
aws-ecr-mutable-image-tags.tf
# ruleid: aws-ecr-mutable-image-tags
resource "aws_ecr_repository" "fail_1" {
name = "example"
}
# ruleid: aws-ecr-mutable-image-tags
resource "aws_ecr_repository" "fail_2" {
name = "example"
image_tag_mutability = "MUTABLE"
}
# ok: aws-ecr-mutable-image-tags
resource "aws_ecr_repository" "pass" {
name = "example"
image_tag_mutability = "IMMUTABLE"
}
Short Link: https://sg.run/ZEeL