Skip to content

Use trusted container images#

Security · Container Registry · Azure.ACR.ContentTrust

Use container images signed by a trusted image publisher.

Description#

Azure Container Registry (ACR) content trust enables pushing and pulling of signed images. Signed images provides additional assurance that they have been built on a trusted source.

Recommendation#

Consider enabling content trust on registries, clients, and sign container images.

Examples#

Configure with Azure template#

To deploy Container Registries that pass this rule:

  • Set properties.trustPolicy.status to enabled.
  • Set properties.trustPolicy.type to Notary.

For example:

{
    "type": "Microsoft.ContainerRegistry/registries",
    "apiVersion": "2021-06-01-preview",
    "name": "[parameters('registryName')]",
    "location": "[parameters('location')]",
    "sku": {
        "name": "Premium"
    },
    "identity": {
        "type": "SystemAssigned"
    },
    "properties": {
        "adminUserEnabled": false,
        "policies": {
            "quarantinePolicy": {
                "status": "enabled"
            },
            "trustPolicy": {
                "status": "enabled",
                "type": "Notary"
            },
            "retentionPolicy": {
                "status": "enabled",
                "days": 30
            }
        }
    }
}

Configure with Bicep#

To deploy Container Registries that pass this rule:

  • Set properties.trustPolicy.status to enabled.
  • Set properties.trustPolicy.type to Notary.

For example:

resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        status: 'enabled'
        days: 30
      }
    }
  }
}

Last update: 2022-01-19