added policy to check immutable tags for ecr

avd_docs/aws/ecr/AVD-AWS-0192/docs.md

@@ -0,0 +1,13 @@
+
+Ensures ECR repository image tags cannot be overwritten
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://sysdig.com/blog/toctou-tag-mutability/
+
+

internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository.rego

@@ -0,0 +1,25 @@
+# METADATA
+# title: "ECR Repository Tag Immutability"
+# description: "Ensures ECR repository image tags cannot be overwritten"
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://sysdig.com/blog/toctou-tag-mutability/
+# custom:
+#   avd_id: AVD-AWS-0192
+#   provider: aws
+#   service: ecr
+#   severity: HIGH
+#   short_code: enforce-immutable-repository
+#   recommended_action: "Update ECR registry configurations to ensure image tag mutability is set to immutable."
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.ecr.aws0192
+
+deny[res] {
+	repo := input.aws.ecr.repositories[_]
+	not repo.imagetagsimmutable.value
+	res := result.new("Repository tags are mutable.", repo.imagetagsimmutable)
+}

internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository_test.rego

@@ -0,0 +1,11 @@
+package builtin.aws.ecr.aws0192
+
+test_detects_when_mutable {
+	r := deny with input as {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": false}}]}}}
+	count(r) == 1
+}
+
+test_when_immutable {
+	r := deny with input as {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": true}}]}}}
+	count(r) == 0
+}