All Products
Search
Document Center

Cloud Config:cr-repository-immutablity-enable

Last Updated:Jun 22, 2026

Evaluates whether each Container Registry repository is configured to be immutable. Repositories with immutability enabled are evaluated as Compliant.

Scenarios

When a repository is configured to be immutable, existing and new images cannot be overwritten except for images of the latest version. This prevents manual operations from overwriting image versions and ensures consistency between repository images and deployed container images.

Risk level

Default risk level: high.

You can adjust the risk level based on your business requirements.

Compliance evaluation logic

  • If each Container Registry repository is configured to be immutable, the evaluation result is Compliant.
  • If a Container Registry repository is not configured to be immutable, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name cr-repository-immutablity-enable
Rule identifier cr-repository-immutablity-enable
Tag CR and Repository
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type Container Registry repositories
Input parameter None

Incompliance remediation

Configure a Container Registry repository to be immutable. For more information, see Configure a repository to be immutable.