Are container images scanned, signed, and pulled from a controlled registry?
Demonstrate that the organization enforces mandatory vulnerability scanning, cryptographic signing, and controlled registry sourcing for all container images deployed to orchestration platforms.
Description
What this control does
This control ensures that container images used in production and non-production environments are scanned for vulnerabilities before deployment, cryptographically signed by trusted parties to verify authenticity and integrity, and retrieved exclusively from organization-approved registries. Image scanning detects known vulnerabilities (CVEs), malware, misconfigurations, and embedded secrets before runtime. Signing prevents tampering and impersonation attacks by validating image provenance. Registry control enforces policy-based gatekeeping, preventing the use of untrusted or public images that bypass security vetting.
Control objective
What auditing this proves
Demonstrate that the organization enforces mandatory vulnerability scanning, cryptographic signing, and controlled registry sourcing for all container images deployed to orchestration platforms.
Associated risks
Risks this control addresses
- Deployment of container images containing known CVEs or unpatched vulnerabilities exploitable at runtime
- Execution of malicious or backdoored images substituted by attackers compromising public or uncontrolled registries
- Introduction of embedded secrets, API keys, or credentials hardcoded in image layers leading to lateral movement
- Bypass of security controls through developer use of unapproved public registries (e.g., Docker Hub) without vetting
- Supply chain compromise via unsigned images whose provenance and integrity cannot be verified
- Configuration drift and compliance violations due to untracked or unaudited image sources
- Runtime exploitation of container escape vulnerabilities present in base images or application dependencies
Testing procedure
How an auditor verifies this control
- Obtain the organization's container image management policy and approved registry whitelist documentation.
- Review the configuration of the container orchestration platform (e.g., Kubernetes admission controllers, Docker Content Trust settings) to confirm enforcement of image signature verification.
- Inspect the CI/CD pipeline configuration to identify all stages where image scanning is mandated (e.g., pre-build, pre-push, pre-deployment).
- Select a representative sample of five to ten container images currently deployed in production environments.
- For each sampled image, retrieve scan results from the vulnerability scanning tool (e.g., Trivy, Aqua, Twistlock) showing CVE identification, severity ratings, and scan timestamps.
- Verify cryptographic signatures for each sampled image using registry tooling or CLI commands (e.g., cosign verify, docker trust inspect) and confirm signing keys are controlled by authorized personnel.
- Query orchestration platform logs or admission controller audit logs to confirm rejected pull attempts from unapproved registries within the past 90 days.
- Attempt to deploy an unsigned or unscanned test image from a non-approved registry to validate enforcement mechanisms block the operation.