Container Registry Security
Cloud SecurityDefinition
Security controls for container image registries including vulnerability scanning, image signing, access control enforcement, and provenance verification to prevent distribution of malicious or compromised container images.
Technical Details
Container registries (Docker Hub, Amazon ECR, GCR, Harbor) are critical supply chain control points. Security controls include: continuous vulnerability scanning of stored images, notary-based or Sigstore/Cosign image signing for provenance, admission controllers (OPA Gatekeeper, Kyverno) that reject unsigned or vulnerable images at deployment time, and access control policies limiting who can push to production registries.
Practical Usage
Platform security teams should enforce signed-image-only admission policies in Kubernetes clusters, integrate registry scanning into CI pipelines to block critical-severity CVE images, and implement private registries with fine-grained push/pull ACLs. Public base images should be mirrored and scanned before use rather than pulled directly from Docker Hub.
Examples
- Cosign signs a container image with a Sigstore keyless signature tied to the CI/CD OIDC identity, verifiable at deployment.
- An OPA Gatekeeper policy rejects Kubernetes deployments referencing images with CVSS 9.0+ vulnerabilities.
- A cryptomining campaign compromises popular Docker Hub images by pushing modified versions with backdoors to public repositories.