ECR images should be set to IMMUTABLE to prevent code injection through image mutation.
This can be done by setting
Image tags could be overwritten with compromised images
Only use immutable images in ECR
The following example will fail the aws-ecr-enforce-immutable-repository check.
The following example will pass the aws-ecr-enforce-immutable-repository check.