Container registry image/tag protection - possible point of failure

Container registry image/tag protection

Gitlab provides a way for having protected branches and protected environment variables, so unauthorized users can not just create a pull request, trigger a job and compromise the deployment environment variables (trivial example, but you get the point)

Is there a similar thing for container registry?
What if I only want CI jobs that are on master branch to be able to push images to the root image?
I have not tested yet, but is this protected?

because if it is not, it seems like a very nice point of failure from the security point of view.
One could just create a PR that modified the CI definition file, build an image with malicious code and push it to the registry.
I hope I’m incorrect about this, but at the moment I’m rather concerned.

I’d appreciate any input on this.

Hi @aljaxus
no, such feature is not implemented, yet. And your concerns are valid. You can follow Identify container images as protected to prevent accidental deletion/updates (#18984) · Issues · / GitLab · GitLab for details.

1 Like