Docker and Amazon ECR With QuickInfra: Container Image Lifecycle Made Simple

Container images are the deployment unit for most modern applications. Where they're stored, how they're tagged, how they're scanned for vulnerabilities, and how old images are cleaned up are operational concerns that matter at production scale. QuickInfra integrates with Amazon ECR to handle the full image lifecycle.

ECR Repository Provisioning

QuickInfra creates ECR repositories as part of your Infrastructure Project when you're deploying a containerised workload. Each repository is provisioned with image scanning enabled (both on push and on-demand), a lifecycle policy to expire old images, and encryption using a KMS key.

Repositories follow a consistent naming convention tied to your project: {org}/{project}/{service}. This makes cross-account image references predictable.

Image Scanning

ECR's native image scanning uses the Common Vulnerabilities and Exposures (CVE) database to check images for known vulnerabilities. QuickInfra surfaces scan results in the Security section — images with CRITICAL or HIGH vulnerabilities are flagged and can trigger a pipeline failure if configured.

Enhanced scanning with Amazon Inspector integration is supported for teams that need more thorough vulnerability assessment, including OS-level and application dependency scanning.

Lifecycle Policies

Without lifecycle policies, ECR repositories accumulate images indefinitely. QuickInfra configures a lifecycle policy that retains the last 10 tagged images and deletes untagged images after 7 days. Specific tags (production, latest) can be excluded from expiry.

Cross-Account Image Pulling

In multi-account setups, images typically live in a central account (your CI/CD account) and are pulled by workload accounts (dev, staging, prod). QuickInfra generates the ECR repository policy that allows cross-account pull access from your connected accounts — no manual policy editing required.

Image Tagging Strategy

QuickInfra's CI/CD pipelines tag images with the git commit SHA and a semantic version tag if a version tag triggered the build. Using git SHA as the image tag makes deployments fully traceable — you always know which exact code is running in any environment.