Governance Anti Patterns Containers - Azure/az-prototype GitHub Wiki

Containers

Container Apps, ACR, and container runtime configuration detection

Domain: containers

Checks (4)

Check Description
ANTI-CONT-001 Secret in environment variable — use Key Vault references with managed identity instead.
ANTI-CONT-002 Container registry admin user enabled — disable admin and use managed identity with AcrPull role.
ANTI-CONT-003 Container App needs UserAssigned identity (or SystemAssigned,UserAssigned) for ACR image pull — SystemAssigned alone fails on first deploy.
ANTI-CONT-004 Container image uses :latest tag — use a specific version tag or SHA digest for reproducible deployments.

ANTI-CONT-001

Secret in environment variable — use Key Vault references with managed identity instead.

Rationale: Plain environment variables expose secrets in Container App revision metadata and ARM deployment history.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • 'environment_variable'
  • 'env_var'
  • 'secretRef'
  • '# Use Key Vault references with managed identity'

ANTI-CONT-002

Container registry admin user enabled — disable admin and use managed identity with AcrPull role.

Rationale: Admin credentials are shared secrets that cannot be scoped per-service; managed identity with AcrPull provides per-identity audit.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.ContainerRegistry/registries
  • 'admin_user_enabled = true'
  • 'adminUserEnabled = true'
  • 'admin_user_enabled = false'
  • 'adminUserEnabled = false'
  • '# Use managed identity with AcrPull role assignment'

ANTI-CONT-003

Container App needs UserAssigned identity (or SystemAssigned,UserAssigned) for ACR image pull — SystemAssigned alone fails on first deploy.

Rationale: SystemAssigned identity alone causes image pull failures on first provision because the identity doesn't exist when ACR pull is attempted.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • 'microsoft.app/containerapps'
  • 'type = "SystemAssigned, UserAssigned"'
  • 'identity.userAssignedIdentities'

ANTI-CONT-004

Container image uses :latest tag — use a specific version tag or SHA digest for reproducible deployments.

Rationale: The :latest tag is mutable and non-deterministic — different nodes may pull different images, causing inconsistent behavior.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • Microsoft.ContainerRegistry/registries
  • ':latest'
  • 'image:latest'
  • 'image = "myregistry.azurecr.io/myapp:v1.2.3"'
  • 'image = "myregistry.azurecr.io/myapp@sha256:abc123"'
⚠️ **GitHub.com Fallback** ⚠️