Container registry image/tag protection

aljaxus · January 5, 2022, 6:38pm

Gitlab provides a way for having protected branches and protected environment variables, so unauthorized users can not just create a pull request, trigger a job and compromise the deployment environment variables (trivial example, but you get the point)

Is there a similar thing for container registry?
What if I only want CI jobs that are on master branch to be able to push images to the root image?
I have not tested yet, but is this protected?

because if it is not, it seems like a very nice point of failure from the security point of view.
One could just create a PR that modified the CI definition file, build an image with malicious code and push it to the registry.
I hope I’m incorrect about this, but at the moment I’m rather concerned.

I’d appreciate any input on this.

balonik · January 7, 2022, 3:04pm

Hi @aljaxus
no, such feature is not implemented, yet. And your concerns are valid. You can follow Identify container images as protected to prevent accidental deletion/updates (#18984) · Issues · GitLab.org / GitLab · GitLab for details.

Topic		Replies	Views
Container registry best practices GitLab CI/CD	3	1379	August 22, 2020
Gitlab docker image scanning: very poor options and workflow DevSecOps ci , docker , registry , pipelines	0	510	October 17, 2023
Container registry not showing tags GitLab CI/CD registry	3	3027	June 6, 2022
Is any user able to pull any container registry image? GitLab CI/CD docker	3	1434	November 25, 2022
Using Private GitLab Container Registry in GitLab CI GitLab CI/CD	3	3655	September 12, 2024

Container registry image/tag protection - possible point of failure

Container registry image/tag protection

Related Topics