app-staging-synthesizer: ecr repo not immutable #26655
Comments
tenjaa
added
bug
github-actions
bot
added
the
@aws-cdk/app-staging-synthesizer-alpha
peterwoodworth
added
feature-request
|
Is this a recommendation or a requirement? Also, could you share the docs where AWS recommends this? |
peterwoodworth
added
p2
effort/small
|
Totally forgot the link: https://docs.aws.amazon.com/securityhub/latest/userguide/ecr-controls.html It is marked as |
|
Thanks, we don't necessarily conform to security hub recommendations I have relabeled this as a feature request. I don't know of any downsides, and you're right this is enabled in our bootstrap template. But also, it's not enabled by default in our construct Regardless, thanks for the PR. We can consider it and get back to you |
|
I put it as a bug because I saw that in the past, the CDK team merged a PR explicitly to fix a Security Hub finding. Would you be more open to a PR to make in configurable? |
Closes #26655 I cannot run the integration tests and therefore cannot update the snapshot :( ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
AWS recommends ECR repos to have tag immutability configured.
The ECR repos created by this module to not do that.
Expected Behavior
The ECR repos created by this module should have tag immutability configured.
Current Behavior
The ECR repos created by this module do not have tag immutability configured.
Reproduction Steps
Deploy a stack with a docker image and have a look at the created repo.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.90.0
Framework Version
No response
Node.js Version
18
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: