Unauthorized push access allowing image replacement - Missing vulnerability scan enforcement (images with critical CVEs deployed) - Tag mutability allowing image substitution after scanning - Registry credentials stored insecurely in pipeline configurations