Container Registry anonymous pull access is enabled

March 21, 2025 ยท View on GitHub

SYNOPSIS

Anonymous pull access allows unidentified downloading of images and metadata from a container registry.

DESCRIPTION

By default, Azure Container Registry (ACR) requires you to be authorized before you push or pull content from the registry. When anonymous pull access is enabled:

  • Any client with network access can pull content from the entire registry without authorization.
  • Repository-scoped tokens can not be used to limit pull access, tokens will be able to pull all content.

RECOMMENDATION

Consider disabling anonymous pull access in scenarios that require user authentication.

EXAMPLES

Configure with Azure template

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

{
  "type": "Microsoft.ContainerRegistry/registries",
  "apiVersion": "2023-11-01-preview",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Premium"
  },
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "adminUserEnabled": false,
    "anonymousPullEnabled": false,
    "policies": {
      "quarantinePolicy": {
        "status": "enabled"
      },
      "trustPolicy": {
        "status": "enabled",
        "type": "Notary"
      },
      "retentionPolicy": {
        "days": 30,
        "status": "enabled"
      },
      "softDeletePolicy": {
        "retentionDays": 90,
        "status": "enabled"
      }
    }
  }
}

Configure with Bicep

To deploy registries that pass this rule:

  • Set the properties.anonymousPullEnabled property to false.

For example:

resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = {
  name: name
  location: location
  sku: {
    name: 'Premium'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    adminUserEnabled: false
    anonymousPullEnabled: false
    policies: {
      quarantinePolicy: {
        status: 'enabled'
      }
      trustPolicy: {
        status: 'enabled'
        type: 'Notary'
      }
      retentionPolicy: {
        days: 30
        status: 'enabled'
      }
      softDeletePolicy: {
        retentionDays: 90
        status: 'enabled'
      }
    }
  }
}

Configure with Azure CLI

To configure registries that pass this rule:

az acr update  -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false

Configure with Azure Policy

To address this issue at runtime use the following policies:

NOTES

Anonymous pull access is only available in the Standard and Premium service tiers.

This rule may generate false positives in specific scenarios where to intend to distribute OCI content to Internet users. For example: You are a software vendor and intend to distribute container images of your software to customers.