Skip to content

Image assurance policy

Info

ID: MS-M9005
MITRE mitigation: M1016, M1045

Apply image assurance policy to evaluate container images against vulnerabilities, malware, exposed secrets or other policies. By ensuring consistent and comprehensive image assurance policy across the build, ship and run development stages.

One approach of ensuring images passes assurance or compliance checks it to sign the container images, so the image signature can be checks downstream when deploying to Kubernetes clusters at runtime.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9002 Compromised image in registry Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters.
MS-TA9004 Application vulnerability Scan images for vulnerabilities
MS-TA9009 Application exploit (RCE) Block vulnerable images
MS-TA9034 Cluster internal networking Avoid deployment of vulnerable applications to the cluster