T13-AT-013HIGH
Container Registry Poisoning
T13 · AI Supply Chain & Artifact Trust →Risk score235
RatingHigh
Procedures10
Severity
Mechanism
Containerization is the standard deployment model for ML: training jobs, inference servers, and data processing pipelines all run in containers. Container images from Docker Hub, NVIDIA NGC, or private registries contain the entire execution environment — OS, frameworks, libraries, drivers, and model code. Poisoning a container image is equivalent to poisoning every process that runs in it.
Detection
- Container image signing and verification (Notary/Cosign)
- Runtime container behavior monitoring: detect unexpected processes, network connections, file modifications
- Image provenance tracking: verify image source and build pipeline
- Layer integrity verification: hash each layer against known-good baselines
Mitigation
Image signing with Sigstore/CosignHIGH
Private base images built from minimal OSHIGH
Runtime container security (Falco, Sysdig)MEDIUM
Kubernetes admission controllers (OPA Gatekeeper)HIGH
Chaining
Open in the technique browser →Container registry poisoning chains from T13-AT-004 (Dependency Confusion via stolen registry credentials) and enables T13-AT-003 (Pipeline Injection through poisoned training containers). Scanner poisoning (T13-AP-013D) chains to T13-AT-012 (Artifact Signature Attacks) by removing verification.