Davide F Bragalone: Hi folks, I work in InfoSec team. A user got to us with some concerns related to brew.registry.redhat.io access. Not sure if this is the right channel, eventually is someone here with whom I can clarify some concerns?

hseljene: What are the concerns?

Davide F Bragalone: The reporter is concerned about the possibility to list brew's images once logged in registry.io (given anyone could get a Developer Subscription and access):
a list of all visible images can be retrieved using:
curl -X GET https://<registryuser>:<registrypass>@brew.registry.redhat.iov2/_catalog

When running the above curl command, it will not retrieve any Ansible Automation Platform image (but dozens of other images), which leads me to believe that there are hidden images.
He is worried that such images might contain secrets. So he opted to report it. (edited)
9:09
My thought would be:
I assume that if a user has a developer account, it can access those images
Red Hat (not only) images should not contain secrets anyway (those are getting already scanned for vuln_mgmt purposes I assume)
But I preferred to check with you