Skip to content

Use trusted container images#

Security · Container Registry · Rule · 2020_12 · Important

Use container images signed by a trusted image publisher.

Description#

Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.

To enable content trust, the container registry must be using a Premium SKU.

Content trust is currently not supported in a registry that's encrypted with a customer-managed key. When using customer-managed keys, content trust can not be enabled.

Recommendation#

Consider enabling content trust on registries, clients, and sign container images.

Examples#

Configure with Azure template#

To deploy registries that pass this rule:

  • Set properties.trustPolicy.status to enabled.
  • Set properties.trustPolicy.type to Notary.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-08-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy registries that pass this rule:

  • Set properties.trustPolicy.status to enabled.
  • Set properties.trustPolicy.type to Notary.

For example:

Azure Bicep snippet
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/container-registry/registry:<version>

For example:

br/public:avm/res/container-registry/registry:0.5.1

To use the latest version:

br/public:avm/res/container-registry/registry:0.6.0

Comments