Being able to call on any Docker container during a pipeline is incredibly powerful but introduces certain security issues. In the old days you might work with a single server for build tooling and you’d carefully construct, vet, and deploy it. With the rise of Docker however you can work with any number of images that you may or may not be familiar with.
What if someone introduced a root kit into your pipeline? How much damage could they do? How quickly would you catch it? To be security conscious you’ll need a strategy in place for how images can be introduced to your processes, vetted, and stored. This is where using multiple registries becomes invaluable.
Every Registry a Purpose
Production Docker Registry
Only images that have been fully vetted should be allowed here. Not only are they secure, they are also throughly tested and validated to be in proper working order. The ops team will care most about this registry.
Secure Testing Area Registry
All the images used to test and prep images for production should be kept in this registry. They should be tested for security and versioned so the pipeline is reliable. The process of onboarding new images should be automated so you don’t fall into the trap of using old software.
Build, Test, and Debug Registry
Finally we need a registry that’s for images in progress. These images are less trusted and can be broken. This registry is critical because without it’s very difficult to fix and debug images.
Free private Docker registry
Codefresh includes a free private Docker registry, it’s designed to complement your Production and Secure registries. If course, you can also integrate all your own registries into Codefresh very easily.