The requirements to hash, version control, keep updated, and scan container images are all security and quality gates that should be enforced before deployment. Integrating these checks into a Continuous Integration/Continuous Deployment (CI/CD) pipeline automates this enforcement. During the CI phase, the pipeline can build the image, assign a version tag, generate a cryptographic hash (digest), and run a vulnerability scanner against it. The pipeline can be configured to fail the build if vulnerabilities are found or other quality checks are not met, preventing insecure images from ever reaching the container registry or production environment. This approach aligns with modern DevSecOps principles of "shifting security left."

A. Service meshes and Access Control Lists (ACLs) are runtime controls that manage network traffic between running containers, not security controls for the static container images themselves.

C. Auditing is a detective control that identifies non-compliance after an image has been built or deployed, rather than a preventative control that ensures requirements are met beforehand.

D. Pulling images directly from a public vendor repository and deploying them without internal validation and scanning is a highly insecure practice that bypasses essential security checks.

1. National Institute of Standards and Technology. (2017). SP 800-190

Application Container Security Guide. Section 3.2.2

"Vulnerability Scanning

" states

"Organizations should integrate vulnerability scanning tools into their CI/CD pipelines to ensure that images that have known vulnerabilities are not pushed to the registry." Section 3.2.1

"Image Signing

" discusses using cryptographic methods to ensure image integrity

a process also managed within the pipeline. (https://doi.org/10.6028/NIST.SP.800-190)

2. Pape

F. (2021). Lecture 10: DevSecOps. CS 161: Computer Security

University of California

Berkeley. Course materials emphasize integrating security tools like static analysis and vulnerability scanners directly into the CI/CD pipeline to automate security checks early in the development lifecycle.

3. Red Hat. (n.d.). Securing the build pipeline. Red Hat OpenShift Documentation. This official vendor documentation details the best practice of incorporating security checks

such as static code analysis and vulnerability scanning of dependencies and container images

within the CI/CD pipeline to secure the software supply chain.