One final security consideration for images and registries is the source of the base images that are used for application images. Companies running Docker in production typically restrict the base images that developers can use for a set, which has been approved by infrastructure or security stakeholders. This set of golden images that are available to use may just be captured in documentation, but it is easier to enforce with a private registry.

Golden images in a Windows environment may be limited to two options: a version of Windows Server Core and a version of Nano Server. Instead of allowing users to use the public Microsoft images, the Ops team may build custom images from Microsoft's base images. The custom images may add security or performance tweaks or set some defaults that apply to all applications, such as packaging the company's Certificate Authority certs.

Using DTR, you can create an organization for all your base images, where the Ops team has read-write access to the repositories, while all other users have read access. Checking that images are using a valid base just means checking that the Dockerfile is using an image from the base-images organization, which is an easy test to automate in your CI/CD process.

Golden images add a management overhead to your organization, but it's one that becomes worthwhile as you move more and more applications to Docker. Owning your own image with ASP.NET that's been deployed and configured with your company's defaults makes it easy for the security team to audit that base image. You also own your release cadence and the domain for your registry, so you don't need to use arcane image names in your Dockerfiles.