A company is using AWS CodePipeline for its CI/CD process. The pipeline deploys an application to an Amazon ECS cluster. The security team requires that every container image must be scanned for vulnerabilities before it is deployed. If critical vulnerabilities are found, the pipeline must fail automatically. How can the Architect implement this requirement?

Amazon Elastic Container Registry (ECR) can be configured to automatically scan images for vulnerabilities when they are pushed. However, CodePipeline does not natively pause or fail based on these scan results. To enforce the security requirement, you must add an action to your CodePipeline (typically an AWS Lambda function) that calls the ECR API to retrieve the scan findings. If the Lambda function detects 'Critical' findings, it returns a failure signal to CodePipeline, halting the deployment.