Azure containers are built from images that are stored in either a public or private registry. While retrieving images from public registries may seem easier, it does not guarantee security. As mentioned above, container images have multiple layers of software, and each layer can have vulnerabilities.
Images on a public registry are more likely to have malicious software attached to them than those on a private registry. Images on private registries are more likely to be properly scanned and pose less risk. Private registries are managed and feature role-based access controls, providing more governance and security. Some examples of private container image registries include Azure Container Registry, Docker Trusted Registry, or the open-source Harbor project from the Cloud Native Computing Foundation.