EPISODE · May 27, 2026 · 9 MIN
Why Your Kubernetes Image Registry Needs a Vulnerability Scan Gate
from DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations · host Fexingo
In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a critical but often overlooked failure point in container workflows: the moment an image hits your private registry. They unpack why scanners alone aren't enough, how a single unvetted pull can cascade into a cluster-wide CVE, and the concrete architecture change — a pre-pull vulnerability scan gate — that can catch supply-chain attacks before they deploy. Drawing on real-world examples from the recent PyTorch dependency confusion incident and a misconfigured JFrog Artifactory at a fintech unicorn, they explain how to wire Amazon ECR, Harbor, or GitLab container registry into your admission controller, and why blocking a build in CI doesn't protect you from a cached base image. If you've ever assumed your container registry was just a storage bucket, this episode will change how you think about your software supply chain. #ContainerRegistry #VulnerabilityScanning #KubernetesSecurity #SoftwareSupplyChain #ImageAdmission #DevSecOps #DockerImageSecurity #AmazonECR #Harbor #GitLabContainerRegistry #CI/CDPipeline #CloudNative #KubernetesAdmissionController #PodSecurity #Technology #DevOpsDailyWithFexingo #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
What this episode covers
In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a critical but often overlooked failure point in container workflows: the moment an image hits your private registry. They unpack why scanners alone aren't enough, how a single unvetted pull can cascade into a cluster-wide CVE, and the concrete architecture change — a pre-pull vulnerability scan gate — that can catch supply-chain attacks before they deploy. Drawing on real-world examples from the recent PyTorch dependency confusion incident and a misconfigured JFrog Artifactory at a fintech unicorn, they explain how to wire Amazon ECR, Harbor, or GitLab container registry into your admission controller, and why blocking a build in CI doesn't protect you from a cached base image. If you've ever assumed your container registry was just a storage bucket, this episode will change how you think about your software supply chain. #ContainerRegistry #VulnerabilityScanning #KubernetesSecurity #SoftwareSupplyChain #ImageAdmission #DevSecOps #DockerImageSecurity #AmazonECR #Harbor #GitLabContainerRegistry #CI/CDPipeline #CloudNative #KubernetesAdmissionController #PodSecurity #Technology #DevOpsDailyWithFexingo #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo
NOW PLAYING
Why Your Kubernetes Image Registry Needs a Vulnerability Scan Gate
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m