We would like to log changes to the "write-enabled" property of an image in ACR. Currently this doesn't seem to be covered in Alerts or audit logs as per this documentation: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-diagnostics-audit-logs

We would like to allow our users to push and pull images, but not to remove the "write-enabled false" flag on existing images. Currently there doesn't seem to be a permission specifically for that.

It would be great if there was a frontend for ACR, similar to Dockerhub where users could easily see the supported tags and some description for the image they are downloading

Currently, we can monitor pull/push counts by Azure Monitor.
https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftcontainerregistryregistries

Otherwise, we need to check the status of network traffic for investigating slow operation.
(Azurespeed is viable for checking current status, but not suitable for trend/history)

it would be nice to be able to apply a wildcard to a repository scope-map, eg dev/*

Your best practices suggest leveraging multiple namespaces which is a good idea. But different namespaces may require different purge limits.

When using the acr purge command, adding '--untagged' does not tell the purge to delete images that match the filtered tag. It only tells the purge command to delete images that no longer are tagged.
I'm trying to purge images by tag, but some images have multiple tags. Adding the --untagged command doesn't help me at all. Instead only the matching tags are removed from the images.

As described here in this OCI Blog, Consuming Public Content (https://opencontainers.org/posts/blog/2020-10-30-consuming-public-content/), a gated import workflow enables a host of reliability, stability and security scenarios by importing and maintaining public content in your private registry.

Once imported, you can use:
- Customer Managed Keys: https://aka.ms/acr/cmk
- Private Link (VNet): https://aka.ms/acr/privatelink
- Geo-replication: https://aka.ms/acr/geo-replication
- Audit logs: https://aka.ms/acr/audit-logs
- Dedicated data endpoints: http://aka.ms/acr/dedicated-data-endpoints
- ...

We have provided the raw capabilities through the az cli: https://aka.ms/acr/tasks/gated-import

Voting here is for tooling the gated-import workflow through an az-cli, vs-code or Azure portal.

Comments are very helpful here

Create az acr CLI or Azure Portal for active purge images using Semantic Version. One time I need to maintain the last Major version ou medium and the last 3 version of after version. The another versions can I purge.

For now, only Linux images are scanned for vulnerabilities when pushed in ACR. The Windows images are not scanned. It would be a great improvement to have such capability.

pipe embed

At present scopemap configurations are at a repository level. It would be very helpful to allow configuration at namespace/repository level with the support of wildcards.

For example
/org/dept1/repo1
/org/dept1/repo2
/org/dept2/repo1
/org/dept2/subdep1/repo1

So if I want to create a token for pulling all images in /org/dept2/ and its sub paths , allowing configuration like /org/dept2/* in scopemap would make it extremely easy rather than going and adding each repo manually in the scope map.

During the creating wizard for ACR the deployment will fail if the encryption key specified exists in a keyvault which has the network firewall enabled.
To complete the deployment you must initially use a key from a keyvault with no firewall enabled. Enable a system identity then grant this access to the keyvault with the firewall enabled. Then change the key from the temporary key vault to the keyvault with network firewall as a workaround.

We are providing an ACR to our customers with anonymous AcrPull rights but currently the customer cannot get a tag listing.

When running
Invoke-Webrequest -Uri 'https://<myregistry>.azurecr.io/v2/_catalog'
without any auth, the result is always:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required, visit https://aka.ms/acr/authorization for more information.","detail":[{"Type":"registry","Name":"catalog","Action":"*"}]}]}

It would be great if there were an option for anonymous metadata access to support public listing.

Since ACR is billed by size of images pushed, I'd like a way to programmatically check the capacity I'm using at any time

Give us some cmdlet like

Get-AzContainerRegistryImages resulting in array of acrimage details (created, last updated, ... and MOST IMPORTANT SIZE TAKEN IN ACR)

so that I can do my computation and filtering with where-object / select-object

az cli has some commands
az acr repository list and show
but not giving size and then I don't like it beacuse it's not programmable like powershell

Thanks