Amazon ECR Pull Through Cache: Referrer Discovery and Sync

Image supply-chain security usually breaks in the dullest place possible: the registry stores the image, but the signature or SBOM lives somewhere else. Amazon ECR fixed that split in April 2026 by making pull through cache discover and sync OCI referrers from upstream registries.

That sounds small until you try to verify provenance in a real pipeline. If the signature does not arrive with the image, the downstream repository is incomplete. Now ECR can keep the cached copy and the attached referrers together, which makes verification and attestation look like one workflow again.

Before And After

Cache Flow

flowchart LR
  Up[Upstream registry] --> Cache[Amazon ECR pull through cache]
  Cache --> Repo[Private ECR repository]
  Repo --> Workloads[CI jobs, ECS tasks, Kubernetes nodes]
  Up --> Ref[OCI referrers: signatures, SBOMs, attestations]
  Ref --> Cache

Practical Takeaway

If your pipeline already builds images in GitLab CI or GitHub Actions, this feature removes one more excuse to keep supply-chain metadata in a separate bucket or artifact store. Keep the metadata close to the image. Then your policy checks, scanners, and deploy jobs all work against the same repository state.

The sharp edge is that cache and consumer support are not identical across services. The docs still call out specific limitations, so test your runtime path before assuming a cache rule is enough for every workload.

Related reading

• GitLab CI to build and push to ECR
• ECR login flow in CI
• container images in Lambda pipelines
• GitHub Actions deployments to AWS

Sources

• AWS What’s New: Amazon ECR Pull Through Cache now supports referrer discovery and sync
• Amazon ECR pull through cache user guide