services / Azure / Container registry repository image content
The data-plane image/artifact content of repositories in an Azure Container Registry: the actual container image layers, manifests, and OCI artifacts that downstream Kubernetes clusters and workloads pull and run.
Image layers routinely embed proprietary application source/binaries, configuration, and baked-in secrets; controlling content is a supply-chain position over everything that consumes the registry.
Microsoft.ContainerRegistry/registries/repositories/content/read
Pulling images is a data-plane read that exports the full container artifacts, which commonly bundle application code, binaries, configuration, and embedded secrets, constituting data and code exfiltration.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security