Use container image quarantine pattern
March 21, 2025 ยท View on GitHub
SYNOPSIS
Enable container image quarantine, scan, and mark images as verified.
DESCRIPTION
Image quarantine is a configurable option for Azure Container Registry (ACR).
When enabled, images pushed to the container registry are not available by default.
Each image must be verified and marked as Passed before it is available to pull.
To verify container images, integrate with an external security tool that supports this feature.
RECOMMENDATION
Consider configuring a security tool to implement the image quarantine pattern. Enable image quarantine on the container registry to ensure each image is verified before use.
EXAMPLES
Configure with Azure template
To deploy Container Registries that pass this rule:
- Set
properties.quarantinePolicy.statustoenabled.
For example:
{
"type": "Microsoft.ContainerRegistry/registries",
"apiVersion": "2023-01-01-preview",
"name": "[parameters('registryName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Premium"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"adminUserEnabled": false,
"policies": {
"quarantinePolicy": {
"status": "enabled"
},
"trustPolicy": {
"status": "enabled",
"type": "Notary"
},
"retentionPolicy": {
"days": 30,
"status": "enabled"
},
"softDeletePolicy": {
"retentionDays": 90,
"status": "enabled"
}
}
}
}
Configure with Bicep
To deploy Container Registries that pass this rule:
- Set
properties.quarantinePolicy.statustoenabled.
For example:
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
name: registryName
location: location
sku: {
name: 'Premium'
}
identity: {
type: 'SystemAssigned'
}
properties: {
adminUserEnabled: false
policies: {
quarantinePolicy: {
status: 'enabled'
}
trustPolicy: {
status: 'enabled'
type: 'Notary'
}
retentionPolicy: {
days: 30
status: 'enabled'
}
softDeletePolicy: {
retentionDays: 90
status: 'enabled'
}
}
}
}
NOTES
Image quarantine for Azure Container Registry is currently in preview.