Security Issue: Disable Mutable Tags in ECR - Githubissues

cds-snc / covid-alert-server

Exposure Notification: Diagnosis Server implementation / Notification d’exposition : Mise en œuvre du serveur de diagnostic

Apache License 2.0

298 stars 31 forks source link

Security Issue: Disable Mutable Tags in ECR #409

Closed CalvinRodo closed 3 years ago

CalvinRodo commented 3 years ago

Issue found in Snyk scan of TF Files

Path:

resource > aws_ecr_repository[repository] > image_tag_mutability

The issue is...

The AWS ECR registry does not enforce immutable tags

The impact of this is...

Image tags can be modified post deployment

You can resolve this by...

Set image_tag_mutability attribute to IMMUTABLE

AC

[ ] Disable check in Demo https://github.com/cds-snc/covid-alert-server-demo-terraform/issues/29
[ ] Disable check in Staging https://github.com/cds-snc/covid-alert-server-staging-terraform/issues/72
[ ] Fix in Prod https://github.com/cds-snc/covid-alert-server-production-terraform/issues/46

CalvinRodo commented 3 years ago

On hold as I determine if we need mutable tags for anything

CalvinRodo commented 3 years ago

Not going to get to this, will re-open if we do.