Securing Container Registry Images

When to Use

• When establishing security controls for container image registries (ECR, ACR, GCR, Docker Hub)
• When building CI/CD pipelines that enforce vulnerability scanning before image promotion
• When implementing image signing and verification to prevent supply chain attacks
• When auditing existing registries for vulnerable, unscanned, or unsigned images
• When compliance requires software bill of materials (SBOM) for deployed container images

Do not use for runtime container security (use Falco or Sysdig), for Kubernetes admission control (use OPA Gatekeeper or Kyverno after establishing registry controls), or for host-level vulnerability scanning (use Amazon Inspector or Qualys).

Prerequisites

• Trivy installed (brew install trivy or apt install trivy)
• Grype installed (curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh)
• Cosign installed for image signing (go install github.com/sigstore/cosign/v2/cmd/cosign@latest)
• Syft installed for SBOM generation (curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh)
• Container registry access (ECR, ACR, GCR, or private registry)