Why Your Kubernetes Image Registry Needs a Vulnerability Scan Gate

Episode notes

In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a critical but often overlooked failure point in container workflows: the moment an image hits your private registry. They unpack why scanners alone aren't enough, how a single unvetted pull can cascade into a cluster-wide CVE, and the concrete architecture change — a pre-pull vulnerability scan gate — that can catch supply-chain attacks before they deploy. Drawing on real-world examples from the recent PyTorch dependency confusion incident and a misconfigured JFrog Artifactory at a fintech unicorn, they explain how to wire Amazon ECR, Harbor, or GitLab container registry into your admission controller, and why blocking a build in CI doesn't protect you from a cached base image. If you've ever assumed your container registry was just a storage bucket, this episode will change how you think about your software supply chain.