Safeguard
Container Security

Why Container Registries Are an Underexamined Supply Chai...

Registries decide what code actually runs in production, yet most security programs treat them as passive storage. Here's why that's a costly blind spot.

Karan Patel
Cloud Security Engineer
6 min read

Every time a Kubernetes cluster schedules a pod, a CI runner builds a stage, or a developer types docker pull, a container registry makes the final decision about what code actually reaches production. That makes registries one of the highest-leverage points in the entire software supply chain — and one of the least scrutinized. In April 2019, Docker Hub disclosed a breach affecting roughly 190,000 accounts, exposing tokens tied to GitHub and Bitbucket autobuild repositories. In October 2021, the industry disclosed CVE-2021-41190, a flaw in how registries and container runtimes parsed OCI image manifests that let attackers make a registry's access checks and a runtime's actual pull resolve to different content. Meanwhile, most security programs pour their budget into scanning source repos and CI pipelines while treating the registry as a passive storage bucket. It isn't passive. It is the last mile before untrusted bytes execute, and it deserves the same scrutiny as everything upstream of it.

Why Do Registries Matter More Than the Code They Store?

Because a registry is the single distribution point that every downstream consumer trusts implicitly, so compromising it compromises everything built from it, not just one project. A source code repository compromise is bounded — it affects the people who pull that specific repo. A registry compromise is multiplicative. If forty internal microservices all build FROM company/python-base:3.11, and that one layer is swapped for a poisoned version, all forty services inherit the change on their next rebuild — with no pull request, no code review, and often no commit at all. This is structurally identical to the risk that npm and PyPI created for application dependencies, except container images carry an entire operating system's worth of trust surface: base OS packages, language runtimes, system libraries, and whatever the base image's own maintainers pulled in. A single upstream base image can sit transitively beneath thousands of production workloads, which is exactly why registries function as chokepoints rather than mere file stores.

What Happened in the Docker Hub Cryptomining Incidents?

In 2018, security researchers found that a Docker Hub publisher account had distributed 17 images that were collectively pulled more than 5 million times and had mined an estimated $90,000 in Monero before being taken down. The images looked ordinary — generic names, plausible descriptions — and Docker Hub at the time did not require any content review before publication. Pull count and account activity were the only signals most users had to go on, and both are trivial for an attacker to inflate or fake. The images reportedly sat live for close to a year, quietly accumulating pulls, before anyone examined what was actually inside the layers. That gap between publication and detection is the recurring pattern in registry-based attacks: the compromise doesn't need to be sophisticated if nobody is looking at the artifact itself.

How Did CVE-2021-41190 Undermine Registry Trust Models?

CVE-2021-41190 mattered because it broke the assumption that a registry's access decision and a runtime's pull decision would always agree on what content a tag actually pointed to. The underlying issue was an ambiguity in the OCI Image Manifest and Manifest List specification: a "fat manifest" could be constructed so that different clients — the registry enforcing authorization, versus containerd, CRI-O, Podman, or Docker Engine actually retrieving the image — parsed it differently and resolved to different underlying content. In practice, that meant an attacker could get a registry to authorize a request for one artifact while the runtime silently fetched another. It was fixed by tightening how implementations validate manifest media types, but the disclosure in October 2021 was a clear signal: registry security isn't just about who can push and pull, it's about whether every component in the pull path agrees on what "the image" actually is.

Why Are Exposed Registries Still Common Today?

Because private registries are frequently deployed without authentication, and the internet is scanned aggressively enough that misconfigurations get found and abused within hours, not weeks. Since roughly 2020, the cryptojacking worm known as Team TNT has specifically targeted exposed Docker daemon APIs and open registries, deploying miners and harvesting cloud credentials from any instance it can reach — research from Aqua Security and Trend Micro has tracked its campaigns evolving for years, not fading after initial coverage. Shodan-style internet scans have repeatedly turned up thousands of Docker daemons and private registries reachable with no authentication at all, often stood up quickly for a demo or an internal tool and never locked down. Unlike a public cloud storage bucket, which most engineering teams now know to check, an exposed registry doesn't look dangerous in a dashboard — it looks like infrastructure doing its job, right up until someone pulls from it.

What Makes a Registry Compromise Harder to Detect Than a Source Compromise?

Mutable tags. A tag like :latest or :prod can be silently repointed to an entirely new digest with zero corresponding commit, pull request, or code review — the audit trail that exists for source code simply doesn't exist by default for what's actually running. Imagine payments-api:prod gets repointed to a new SHA256 digest at 2 a.m. with no commits merged that day; git history shows nothing changed, CI shows no new build, yet the next deployment pulls different bytes than the ones that were last reviewed. Image caching compounds this: a node that already has a layer cached may keep serving stale (or, worse, selectively different) content depending on when it last pulled, so the same tag can mean different things across a fleet at the same moment in time. Source control gives you a diff. A mutable registry tag, on its own, gives you nothing to diff against.

How Safeguard Helps

Safeguard treats the registry as first-class supply chain surface rather than a trusted black box sitting downstream of the pipeline. That means continuously scanning every image pushed to Docker Hub, ECR, GCR, ACR, GHCR, or self-hosted registries like Harbor and Artifactory for known CVEs and malicious content, and re-scanning existing images as new vulnerabilities are disclosed rather than only at push time. It means digest-pinning and drift detection that ties every deployed image back to the exact source commit and build job that produced it, so a tag getting silently repointed is flagged as an anomaly instead of going unnoticed. Safeguard verifies Sigstore/cosign signatures and SLSA-aligned provenance attestations before treating an image as deployable, generates and tracks SBOMs so "what's actually in this layer" is a query instead of a forensic exercise, and alerts on registry misconfigurations — anonymous pull or push access, missing authentication, unexpected public exposure — before an attacker finds them first. Across a fleet of registries and tenants, that adds up to a single inventory of what can reach production, how it got there, and whether it's still what it claims to be — closing the exact gap that turns a quiet registry into the supply chain's weakest link.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.