Azure Container Registry (ACR) Doesn't Have a Retention Policy Set
Description
Azure Container Registry retention policies help to manage image storage by automatically deleting untagged manifests. Enabling this policy ensures efficient usage of storage and removes potential vulnerabilities associated with stale or unused images.
This policy checks if the retention policy is enabled for Azure Container Registry, ensuring that untagged manifests are automatically deleted.
Code Example
terraform
resource "azurerm_container_registry" "example" {
...
# If using azurerm version below 4.0
+ retention_policy {
+ enabled = true
+ days = 7
+ }
# If using azurerm version 4.0 and above
+ retention_policy_in_days = 7
}Remediation
Terraform
- Resource: azurerm_container_registry
- Arguments: retention_policy
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0674 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV_AZURE_167 |