Skip to content

Use container image quarantine pattern#

Security · Container Registry · Rule · Preview · 2020_12 · Important

Enable container image quarantine, scan, and mark images as verified.

Description#

Image quarantine is a configurable option for Azure Container Registry (ACR). When enabled, images pushed to the container registry are not available by default. Each image must be verified and marked as Passed before it is available to pull.

To verify container images, integrate with an external security tool that supports this feature.

Recommendation#

Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.

Examples#

Configure with Azure template#

To deploy Container Registries that pass this rule:

  • Set properties.quarantinePolicy.status to enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-01-01-preview",
  "name": "[parameters('registryName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep#

To deploy Container Registries that pass this rule:

  • Set properties.quarantinePolicy.status to enabled.

For example:

Azure Bicep snippet
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
  name: registryName
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Notes#

Image quarantine for Azure Container Registry is currently in preview.

Comments