BatchCheckLayerAvailability

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.layerDigests[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

BatchDeleteImage

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageIds[_].imageDigest == STRING
    input.Body.imageIds[_].imageTag == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

BatchGetImage

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageIds[_].imageDigest == STRING
    input.Body.imageIds[_].imageTag == STRING
    input.Body.acceptedMediaTypes[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

BatchGetRepositoryScanningConfiguration

valid {
    input.Body.repositoryNames[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CompleteLayerUpload

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.uploadId == STRING
    input.Body.layerDigests[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreatePullThroughCacheRule

enum_UpstreamRegistry := [ "ecr-public", "quay", "k8s", "docker-hub", "github-container-registry", "azure-container-registry", "gitlab-container-registry" ]

valid {
    input.Body.ecrRepositoryPrefix == STRING
    input.Body.upstreamRegistryUrl == STRING
    input.Body.registryId == STRING
    input.Body.upstreamRegistry == enum_UpstreamRegistry[_]
    input.Body.credentialArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateRepository

enum_EncryptionType := [ "AES256", "KMS" ]
enum_ImageTagMutability := [ "MUTABLE", "IMMUTABLE" ]

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.tags[_].Key == STRING
    input.Body.tags[_].Value == STRING
    input.Body.imageTagMutability == enum_ImageTagMutability[_]
    input.Body.imageScanningConfiguration.scanOnPush == BOOLEAN
    input.Body.encryptionConfiguration.encryptionType == enum_EncryptionType[_]
    input.Body.encryptionConfiguration.kmsKey == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteLifecyclePolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeletePullThroughCacheRule

valid {
    input.Body.ecrRepositoryPrefix == STRING
    input.Body.registryId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteRegistryPolicy

valid {
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteRepository

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.force == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteRepositoryPolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeImageReplicationStatus

valid {
    input.Body.repositoryName == STRING
    input.Body.imageId.imageDigest == STRING
    input.Body.imageId.imageTag == STRING
    input.Body.registryId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeImageScanFindings

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageId.imageDigest == STRING
    input.Body.imageId.imageTag == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeImages

enum_TagStatus := [ "TAGGED", "UNTAGGED", "ANY" ]

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageIds[_].imageDigest == STRING
    input.Body.imageIds[_].imageTag == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.Body.filter.tagStatus == enum_TagStatus[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribePullThroughCacheRules

valid {
    input.Body.registryId == STRING
    input.Body.ecrRepositoryPrefixes[_] == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeRegistry

valid {
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeRepositories

valid {
    input.Body.registryId == STRING
    input.Body.repositoryNames[_] == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetAuthorizationToken

valid {
    input.Body.registryIds[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetDownloadUrlForLayer

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.layerDigest == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetLifecyclePolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetLifecyclePolicyPreview

enum_TagStatus := [ "TAGGED", "UNTAGGED", "ANY" ]

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageIds[_].imageDigest == STRING
    input.Body.imageIds[_].imageTag == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.Body.filter.tagStatus == enum_TagStatus[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetRegistryPolicy

valid {
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetRegistryScanningConfiguration

valid {
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetRepositoryPolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

InitiateLayerUpload

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListImages

enum_TagStatus := [ "TAGGED", "UNTAGGED", "ANY" ]

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.Body.filter.tagStatus == enum_TagStatus[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTagsForResource

valid {
    input.Body.resourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutImage

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageManifest == STRING
    input.Body.imageManifestMediaType == STRING
    input.Body.imageTag == STRING
    input.Body.imageDigest == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutImageScanningConfiguration

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageScanningConfiguration.scanOnPush == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutImageTagMutability

enum_ImageTagMutability := [ "MUTABLE", "IMMUTABLE" ]

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageTagMutability == enum_ImageTagMutability[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutLifecyclePolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.lifecyclePolicyText == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutRegistryPolicy

valid {
    input.Body.policyText == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutRegistryScanningConfiguration

enum_ScanFrequency := [ "SCAN_ON_PUSH", "CONTINUOUS_SCAN", "MANUAL" ]
enum_ScanType := [ "BASIC", "ENHANCED" ]
enum_ScanningRepositoryFilterType := [ "WILDCARD" ]

valid {
    input.Body.scanType == enum_ScanType[_]
    input.Body.rules[_].scanFrequency == enum_ScanFrequency[_]
    input.Body.rules[_].repositoryFilters[_].filter == STRING
    input.Body.rules[_].repositoryFilters[_].filterType == enum_ScanningRepositoryFilterType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutReplicationConfiguration

enum_RepositoryFilterType := [ "PREFIX_MATCH" ]

valid {
    input.Body.replicationConfiguration.rules[_].destinations[_].region == STRING
    input.Body.replicationConfiguration.rules[_].destinations[_].registryId == STRING
    input.Body.replicationConfiguration.rules[_].repositoryFilters[_].filter == STRING
    input.Body.replicationConfiguration.rules[_].repositoryFilters[_].filterType == enum_RepositoryFilterType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

SetRepositoryPolicy

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.policyText == STRING
    input.Body.force == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartImageScan

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.imageId.imageDigest == STRING
    input.Body.imageId.imageTag == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartLifecyclePolicyPreview

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.lifecyclePolicyText == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

TagResource

valid {
    input.Body.resourceArn == STRING
    input.Body.tags[_].Key == STRING
    input.Body.tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UntagResource

valid {
    input.Body.resourceArn == STRING
    input.Body.tagKeys[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdatePullThroughCacheRule

valid {
    input.Body.registryId == STRING
    input.Body.ecrRepositoryPrefix == STRING
    input.Body.credentialArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UploadLayerPart

valid {
    input.Body.registryId == STRING
    input.Body.repositoryName == STRING
    input.Body.uploadId == STRING
    input.Body.partFirstByte == LONG
    input.Body.partLastByte == LONG
    input.Body.layerPartBlob == BLOB
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ValidatePullThroughCacheRule

valid {
    input.Body.ecrRepositoryPrefix == STRING
    input.Body.registryId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}