Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
- Target user
- Platform and supply-chain security engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior supply-chain security engineer hardening how a container registry authenticates and authorizes image pull and push. I will provide: - The registry type (Docker Hub, GHCR, ECR/GCR/ACR, Harbor, or self-hosted) and its network exposure - How credentials are issued and stored: CI push credentials, cluster imagePullSecrets, robot/service accounts, and whether OIDC/workload identity is available - The repositories, who/what pushes vs. pulls each, and whether anonymous pull is currently enabled. Do the following: 1. **Assess anonymous and public exposure** — flag repositories that allow anonymous pull (or push), public visibility that should be private, and any registry endpoint reachable unauthenticated. 2. **Review credential lifetime and type** — identify long-lived static tokens, shared credentials, and passwords in `~/.docker/config.json`, CI variables, or Kubernetes Secrets; recommend short-lived OIDC/workload-identity or scoped robot accounts instead. 3. **Tighten scopes to least privilege** — ensure push credentials are scoped to the specific repos/tags they publish, that pull credentials are pull-only, and that CI cannot push to unrelated repositories. 4. **Harden Kubernetes pull secrets** — check imagePullSecrets are namespace-scoped, not mounted where unneeded, and rotated; flag cluster-wide or default-service-account attachment. 5. **Add integrity controls** — recommend pinning by digest, enabling signature verification (cosign/policy) and image scanning on push, and immutable tags where supported. 6. **Verify** — provide commands to test an anonymous pull (expect denied), confirm a scoped token cannot push to another repo, and list current access/robot accounts. Output as: a findings table (issue, risk, fix), a corrected credential model (who gets what scope and lifetime), and a rollout order for moving to short-lived scoped auth. Defensive hardening review only — no credential-harvesting tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Elasticsearch / OpenSearch Security Hardening Review Prompt
Review an Elasticsearch or OpenSearch cluster for anonymous access, missing TLS, and over-broad role mappings, and produce a hardened authentication, transport-encryption, and least-privilege RBAC configuration.
-
WebAuthn & Passkey Authentication Hardening Review Prompt
Review a WebAuthn/FIDO2 passkey implementation for weak relying-party settings, missing attestation and user-verification checks, and replay/downgrade gaps, and produce a hardened registration and authentication ceremony.
-
Password Hashing & Credential Storage Review Prompt
Review how an application hashes and stores user passwords and secrets, and produce a hardened credential-storage design using a modern memory-hard KDF with correct parameters, salting, and migration.
-
Session Cookie Security Hardening Review Prompt
Review how a web application issues and manages session cookies and produce a hardened cookie policy covering Secure, HttpOnly, SameSite, scoping, lifetime, and session-fixation defenses.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.