Skip to content

Governance Anti Patterns Containers

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 6 revisions

Containers

Container Apps, ACR, and container runtime configuration detection

Domain: containers

Checks (4)

Check Description
ANTI-CONT-001 Secret in environment variable — use Key Vault references with managed identity instead.
ANTI-CONT-002 Container registry admin user enabled — disable admin and use managed identity with AcrPull role.
ANTI-CONT-003 Container App needs UserAssigned identity (or SystemAssigned,UserAssigned) for ACR image pull — SystemAssigned alone fails on first deploy.
ANTI-CONT-004 Container image uses :latest tag — use a specific version tag or SHA digest for reproducible deployments.

ANTI-CONT-001

Secret in environment variable — use Key Vault references with managed identity instead.

Rationale: Plain environment variables expose secrets in Container App revision metadata and ARM deployment history.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • Microsoft.Web/sites
  • 'environment_variable'
  • 'env_var'
  • 'secretRef'
  • '# Use Key Vault references with managed identity'

ANTI-CONT-002

Container registry admin user enabled — disable admin and use managed identity with AcrPull role.

Rationale: Admin credentials are shared secrets that cannot be scoped per-service; managed identity with AcrPull provides per-identity audit.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.ContainerRegistry/registries
  • 'admin_user_enabled = true'
  • 'adminUserEnabled = true'
  • 'admin_user_enabled = false'
  • 'adminUserEnabled = false'
  • '# Use managed identity with AcrPull role assignment'

ANTI-CONT-003

Container App needs UserAssigned identity (or SystemAssigned,UserAssigned) for ACR image pull — SystemAssigned alone fails on first deploy.

Rationale: SystemAssigned identity alone causes image pull failures on first provision because the identity doesn't exist when ACR pull is attempted.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • 'microsoft.app/containerapps'
  • 'type = "SystemAssigned, UserAssigned"'
  • 'identity.userAssignedIdentities'

ANTI-CONT-004

Container image uses :latest tag — use a specific version tag or SHA digest for reproducible deployments.

Rationale: The :latest tag is mutable and non-deterministic — different nodes may pull different images, causing inconsistent behavior.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.App/containerApps
  • Microsoft.ContainerRegistry/registries
  • ':latest'
  • 'image:latest'
  • 'image = "myregistry.azurecr.io/myapp:v1.2.3"'
  • 'image = "myregistry.azurecr.io/myapp@sha256:abc123"'

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally