Add ECR repository to rules

Signed-off-by: Calvin Bui <3604363+calvinbui@users.noreply.github.com>

rules/falco_rules.yaml

@@ -1826,6 +1826,7 @@
     k8s.gcr.io/ip-masq-agent-amd64,
     k8s.gcr.io/kube-proxy,
     k8s.gcr.io/prometheus-to-sd,
+    public.ecr.aws/falcosecurity/falco,
     quay.io/calico/node,
     sysdig/sysdig,
     sematext_images
@@ -1854,7 +1855,7 @@
 - list: falco_sensitive_mount_images
   items: [
     docker.io/sysdig/sysdig, sysdig/sysdig,
-    docker.io/falcosecurity/falco, falcosecurity/falco,
+    docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
     gcr.io/google_containers/hyperkube,
     gcr.io/google_containers/kube-proxy, docker.io/calico/node,
     docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
@@ -2363,7 +2364,8 @@
      docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
      sysdig/sysdig, falcosecurity/falco,
      fluent/fluentd-kubernetes-daemonset, prom/prometheus,
-     ibm_cloud_containers)
+     ibm_cloud_containers,
+     public.ecr.aws/falcosecurity/falco)
      or (k8s.ns.name = "kube-system"))
 
 - macro: k8s_api_server
@@ -2802,7 +2804,7 @@
   condition: (evt.type in (sendto, sendmsg) and evt.dir=< and (fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and ((minerpool_http) or (minerpool_https) or (minerpool_other)))
 
 - macro: trusted_images_query_miner_domain_dns
-  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco))
+  condition: (container.image.repository in (docker.io/falcosecurity/falco, falcosecurity/falco, public.ecr.aws/falcosecurity/falco))
   append: false
 
 # The rule is disabled by default.
@@ -3120,4 +3122,3 @@
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
-