Container Supply Chain

Supply Chain

Container supply chain attacks target the build and distribution process. Compromised base images, malicious registry entries, and CI/CD attacks are common vectors.

Attack Vectors

Image Attacks

  • • Typosquatting (nginx vs ng1nx)
  • • Compromised base images
  • • Malicious public images
  • • Image tag mutability

Registry Attacks

  • • Unauthenticated push
  • • Registry compromise
  • • Man-in-the-middle
  • • Missing content trust

Registry Enumeration

registry-enum.sh
bash 
# List repositories in registry
curl -s https://registry.target.com/v2/_catalog

# List tags for an image
curl -s https://registry.target.com/v2/myapp/tags/list

# Get image manifest
curl -s https://registry.target.com/v2/myapp/manifests/latest

# Check for anonymous push (dangerous!)
docker tag myimage registry.target.com/myimage
docker push registry.target.com/myimage

# Pull and analyze images
docker pull registry.target.com/myapp:latest
dive registry.target.com/myapp:latest

Digest Pinning

Always use image digests (sha256) instead of tags in production. Tags can be overwritten, but digests are immutable.

Related Topics

Image Scanning

Runtime Security