They should test the registry endpoint itself with anonymous Docker and OCI pull requests, then verify that manifests and layers are denied for private repositories. UI permissions are not enough. The real signal is whether unauthenticated retrieval fails at the API layer, because that is where the exploit occurs.
Why This Matters for Security Teams
Registry access controls are only meaningful if they block the API layer that serves manifests and layers, not just the console that presents repository settings. A permissions screen can look correct while anonymous pull traffic still succeeds, which is why teams need to validate the actual registry endpoint. That distinction matters because registry abuse often turns a small misconfiguration into broad image exposure, supply chain tampering, or secret leakage.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and that visibility gap is a recurring reason access failures go unnoticed until data is already exposed. The same pattern appears in container registries: teams assume controls are effective because the UI suggests they are, but the attacker interacts with the registry service directly. The practical question is whether unauthenticated requests fail consistently across the exact API routes that clients use. For broader NHI control context, see the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.
In practice, many security teams discover registry exposure only after an image is pulled anonymously or a scanner proves the deny rule was never enforced at the endpoint.
How It Works in Practice
The operational test is straightforward: attempt anonymous Docker and OCI pull requests against the registry endpoint, then verify that private manifests and layers are denied with the expected authentication challenge or authorization failure. The relevant control is not whether a repository appears private in the UI, but whether the registry API actually rejects retrieval. That means testing the same paths and verbs used by real clients, including manifest lookups, blob pulls, and token exchange flows.
Security teams should treat this as a live control validation exercise, not a documentation review. A good test set usually includes:
- Anonymous pull of a known private image by tag and digest.
- Direct manifest request against the repository API.
- Layer download attempt after manifest discovery.
- Verification that success is impossible without a valid identity or token.
Where registries use delegated auth, the policy decision may happen in an identity service rather than the registry itself. In those cases, current guidance suggests validating both the token issuer and the registry enforcement path. For control design context, the Ultimate Guide to NHIs — Key Challenges and Risks is a useful reference, and the OWASP guidance is consistent with testing the effective access path rather than the control surface. This is also aligned with PCI DSS v4.0 expectations around verifying access control effectiveness, not just policy existence.
These controls tend to break down in distributed registry setups with cached tokens, mirrored repositories, or multiple ingress paths because one path can enforce auth while another still permits retrieval.
Common Variations and Edge Cases
Tighter registry control often increases operational overhead, requiring organisations to balance stronger protection against build pipeline friction and debugging complexity. That tradeoff becomes more visible in hybrid environments where internal workers, CI jobs, and third-party automation all need access.
Best practice is evolving, but there is no universal standard for every registry implementation yet. Some environments rely on short-lived bearer tokens, some on IP restrictions, and some on upstream identity brokers. The important point is that the test must match the architecture: if the registry uses a token service, validate token issuance and expiry; if it uses mTLS or workload identity, verify the client identity is actually required before any blob is served.
Edge cases include public base images with private overlays, read-only mirrors, and “private” repositories exposed through a secondary domain or cached CDN. Security teams should also retest after policy changes, because registry behavior can drift when back-end storage, reverse proxies, or auth gateways are updated. For identity and exposure patterns, the 52 NHI Breaches Analysis helps illustrate how small control gaps become operational incidents. The control breaks down most often when an alternate hostname or mirror bypasses the enforced authentication middleware.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Tests whether registry access is truly enforced for non-human identities. |
| NIST CSF 2.0 | PR.AC-1 | Access control effectiveness depends on verified authentication and authorization. |
| CSA MAESTRO | IAM-02 | Registry access for automated workloads requires workload identity validation. |
Test that registry requests fail without valid identity and that least privilege is enforced at runtime.
Related resources from NHI Mgmt Group
- How do security teams know whether privacy controls are actually working?
- How do security teams know whether AI access is actually working safely?
- How do security teams know whether chatbot controls are actually working?
- How do security teams know whether password reset controls are actually working?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
