aws_ecr_repository

Use the aws_ecr_repository InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.

Syntax

An aws_ecr_repository resource block declares the tests for a single AWS ECR repository by repository name.

describe aws_ecr_repository(repository_name: 'my-repo') do
  it { should exist }
end

The value of the repository_name can be provided as a string.

describe aws_ecr_repository('my-repo') do
  it { should exist }
end

Parameters

The repository name must be provided. The registry id is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints: - Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*. - Minimum 2 and maximum of 256 characters long.

This can be passed either as a string or as a repository_name: 'value' key-value entry in a hash.

registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.

Properties

Property Description
repository_name The name of the repository.
image_tag_mutability The tag mutability settings for the repository. Valid values are MUTABLE or IMMUTABLE.
registry_id The AWS account ID associated with the registry that contains the repository.
tags An hash with each key-value pair corresponding to a tag associated with the entity.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Test that image tags are IMMUTABLE in an ECR repository
describe aws_ecr_repository('my-repo') do
  its('image_tag_mutability') { should eq 'IMMUTABLE' }
end
Test that images are scanned for vulnerabilities at a push to repository
describe aws_ecr_repository(repository_name: 'my-repo') do
  its('image_scanning_configuration.scan_on_push') { should eq true}
end
Test that an ECR repository has a certain tag
describe aws_ecr_repository('my-repo') do
  its('tags') { should include('environment' => 'dev') }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

describe aws_ecr_repository(repository_name: 'my-repo') do
    it { should exist }
end

AWS Permissions

Your Principal will need the ecr:DescribeRepositories action set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.