Skip to content

Quay API Token

Service Name: Quay Container Registry

Service Description: Quay is a container registry service that securely stores, builds, and distributes container images. It provides features for container image security scanning, vulnerability analysis, and fine-grained access controls.

Service Address: https://quay.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through Quay's security settings.

Secret Access Scope: Grants programmatic access to Quay container registry, allowing users to push, pull, and manage container images and repositories based on the permissions associated with the token.

Secret Revokement URL: https://quay.io/user/[username]?tab=settings

Secret Example: dckr_pat_abcdefghijklmnopqrstuvwxyz0123456789ABCD

Suspicious Activity Investigation Instructions:

  • Review Quay audit logs for unusual repository access or image operations
  • Check for unauthorized image pushes or pulls
  • Monitor for unexpected repository creation or deletion
  • Examine access patterns for unusual geographic locations or times
  • Verify if there are any unexpected permission changes to repositories

Mitigation Instructions:

  • Log in to your Quay account and navigate to User Settings
  • Go to the "Robot Accounts" or "OAuth Applications" section depending on token type

  • Locate the compromised token and click "Delete" or "Revoke"

  • Create a new token with appropriate permissions if needed
  • Review and update repository permissions to ensure proper access controls
  • Consider implementing repository vulnerability scanning to detect security

issues

  • Enable two-factor authentication for your Quay account if not already enabled