⭐️ ecr auth for container images

[chris-rock]

The image cache (pkg/imagecache/imagecache.go) resolves container image tags to their immutable SHA digests and caches the results.

What it does:

1. Resolves image tags to digests - When given an image like ghcr.io/mondoohq/mondoo-operator:latest, it queries the registry to get the SHA256
   digest (e.g., ghcr.io/mondoohq/mondoo-operator@sha256:abc123...)
2. Caches results for 24 hours - Once resolved, it stores the digest in memory to avoid repeated registry lookups
3. Auto-refreshes stale entries - If a cached entry is older than 24 hours, it re-queries the registry on the next request

Why it matters:

• Kubernetes deployments using tags like :latest can drift if the tag is updated
• Using SHA digests ensures reproducible deployments
• The operator uses this to pin exact image versions when creating CronJobs and other resources for scanning

Fix:

fixes #1362

Previously, queryImageWithSHA called remote.Get(ref) without authentication, so it couldn't resolve images from private ECR registries. Now it detects ECR URLs (containing .ecr.) and uses the ECR credential helper to authenticate via IAM.

[github-actions]

Test Results

  5 files  ±0   41 suites  ±0   34m 50s ⏱️ - 2m 41s
282 tests ±0  282 ✅ ±0  0 💤 ±0  0 ❌ ±0 
301 runs  ±0  299 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 79b996a. ± Comparison against base commit 451a3d4.