Evaluates whether each Container Registry repository is configured to be immutable. Repositories with immutability enabled are evaluated as Compliant.
Scenarios
When a repository is configured to be immutable, existing and new images cannot be overwritten except for images of the latest version. This prevents manual operations from overwriting image versions and ensures consistency between repository images and deployed container images.
Risk level
Default risk level: high.
You can adjust the risk level based on your business requirements.
Compliance evaluation logic
- If each Container Registry repository is configured to be immutable, the evaluation result is Compliant.
- If a Container Registry repository is not configured to be immutable, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | cr-repository-immutablity-enable |
| Rule identifier | cr-repository-immutablity-enable |
| Tag | CR and Repository |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | Container Registry repositories |
| Input parameter | None |
Incompliance remediation
Configure a Container Registry repository to be immutable. For more information, see Configure a repository to be immutable.