Image assurance policy
Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.
One approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.
Sub-mitigations
| ID | Name |
|---|---|
| MS-M9005.001 | Gate generated images in CI/CD pipeline |
| MS-M9005.002 | Gate images pushed to registries |
| MS-M9005.003 | Gate images deployed to Kubernetes cluster |
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9002 | Compromised image in registry | Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters. |
| MS-TA9004 | Application vulnerability | Scan images for vulnerabilities |
| MS-TA9009 | Application exploit (RCE) | Block vulnerable images |
| MS-TA9034 | Cluster internal networking | Avoid deployment of vulnerable applications to the cluster |