Skip to content

Gate images pushed to registries


ID: MS-M9005.002
Sub-mitigation of: MS-M9005 MITRE mitigation: M1016, M1045

Placing gates in the container registry to prevent pushing or quarantine images that does not meet the content trust requirement. Some container registries can support gates that will prevent pushing images, while others might quarantine images after they were already push to the registry. Ensuring that gates exists at the registry level can help preventing bypass of gates at the CI/CD pipelines level.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9002 Compromised image in registry Ensure that only images that passed the security compliance policies are pushed to registries and deployed to Kubernetes clusters.
MS-TA9004 Application vulnerability Scan images for vulnerabilities
MS-TA9009 Application exploit (RCE) Block vulnerable images