Gate images pushed to registries
Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9002 | Compromised image in registry | Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters. |
| MS-TA9004 | Application vulnerability | Scan images for vulnerabilities |
| MS-TA9009 | Application exploit (RCE) | Block vulnerable images |