Prevent tags from being overwritten

By default, users with access to push to a repository, can push the same tag multiple times to the same repository. As an example, a user pushes an image to library/wordpress:latest, and later another user can push the image with exactly the same name but different functionality. This might make it difficult to trace back the image to the build that generated it.

To prevent this from happening, you can configure a repository to be immutable. Once you push a tag, DTR doesn’t allow anyone else to push another tag with the same name.

Make tags immutable

To make tags immutable, in the DTR web UI, navigate to the repository settings page, and change Immutability to On.

From now on, users will get an error message when trying to push a tag that already exists:

docker push dtr.example.org/library/wordpress:latest
unknown: tag=latest cannot be overwritten because dtr.example.org/library/wordpress is an immutable repository

Where to go next

• Sign images