Many developers rely on Docker Hub to consume public content such as container images, Helm charts, and other artifacts, often without authenticating. However, when you have dependencies on public content you can introduce security and reliability risks into your environment. In this blog, we will describe the best practices for mitigating risks when using public content from Docker Hub and other public registries.
Import public content locally whenever possible
Importing public content to an internal registry is the first step in a set of best practices for your software supply chain . Doing so raises the availability and reliability of your public content pipeline. If you pull public content without using credentials from any public registry, including Docker Hub, you may be limited in how often you can pull. Importing public content also helps protect you from production outages by providing local backup copies. Importing public content enables you to create a local registry of public content to validate, sign, and deploy your own trusted images more securely and reliably. For more details, see Consuming Public Content by The Open Container Initiative.
Configure Artifact Cache to consume public content
The best practice for consuming public content is to combine registry authentication and the Azure Container Registry (ACR) Artifact Cache feature. You can use Artifact Cache to cache your container artifacts into your Azure Container Registry -- even in private networks. Using Artifact Cache not only protects you from registry rate limits, but dramatically increases pull reliability when combined with Geo-replicated ACR to pull artifacts from whichever region is closest to your Azure resource. In addition, you can also use all the security features ACR has to offer, including private networks, firewall configuration, Service Principals, and more. For complete information on using public content with ACR Artifact Cache, check out the Artifact Cache technical documentation.
Authenticate Pulls with Public Registries like Docker Hub
We recommend authenticating to public registries like . Docker Hub offers free and paid subscriptions to enable developers to authenticate when building with public library content. Authenticated users also have access to pull content directly from private repositories. For more information, please visit Docker Subscriptions. Artifact Cache supports authenticating with public registries.
Learn more about Container Security
Implementing the recommended best practices can help improve the security posture of your container workloads. You can learn more about how to secure your container workloads during their various stages of development here on Microsoft Learn.