How to Pull the Synaccess CMP Docker Container (ACR)

This page shows how to authenticate to our private registry and pull the Synaccess image. Deployment (Compose + .env) is covered in the next page.

What you’ll receive

Registry (login server): synaccess.azurecr.io
Repository: syn-cloud
Tag(s): a version like 0.2.6 (we may also provide latest)
Token username: <TOKEN_USER>
Token password: sent separately via one-time secret link or phone call

No Azure or Docker Hub account is required.

Prerequisites

Docker Engine / CLI 28.1.1 (or compatible)
Outbound HTTPS access to synaccess.azurecr.io

Check your version:

docker --version

Steps

1) Log in to the private registry

docker login synaccess.azurecr.io \
  -u <TOKEN_USER> \
  -p '<TOKEN_PASSWORD>'

Expected output: Login Succeeded.

2) Pull the image

Pull a specific tag:

docker pull synaccess.azurecr.io/syn-cloud:0.2.6

(Optionally) pull the moving tag:

docker pull synaccess.azurecr.io/syn-cloud:latest

3) Verify it’s present locally

docker images | grep syn-cloud
# or:
docker inspect --format='{{index .RepoDigests 0}}' synaccess.azurecr.io/syn-cloud:0.2.6

Troubleshooting

401 Unauthorized Re-run the login command and verify the token username/password.

DNS or network error

nslookup synaccess.azurecr.io
curl -I https://synaccess.azurecr.io/v2/ || true

If either fails from your network, contact us.

Manifest unknown / tag not found Confirm you’re using the exact tag we provided.

Authentication & Least Privilege

Images are hosted on a private Azure Container Registry: synaccess.azurecr.io.
Access is granted via a scoped, pull-only token (read-only to the syn-cloud repository). No Azure account is required.
Tokens can be rotated or revoked at any time; contact [email protected] to rotate.

Security & Compliance Notes

Credential Handling (customer side)

Prefer stdin for passwords (avoids shell history):

echo '<TOKEN_PASSWORD>' | docker login synaccess.azurecr.io -u <TOKEN_USER> --password-stdin

Docker stores credentials in the OS credential helper (or ~/.docker/config.json). Ensure the file is readable only by the current user (chmod 600) and do not check it into source control.
To remove cached creds:
```
docker logout synaccess.azurecr.io
```
Do not embed the token in Compose files, scripts, or CI logs. Keep it in a secure secret store.

Supply-Chain Integrity (tags, digests, signatures)

We publish version tags (e.g., 0.2.6) and may also publish latest.
You can verify the digest after pull:
```
docker inspect --format='{{index .RepoDigests 0}}' synaccess.azurecr.io/syn-cloud:0.2.6
```
Compare this to the digest listed in our release notes/email.
For deterministic deployments, pin by digest instead of tag:
```
image: synaccess.azurecr.io/syn-cloud@sha256:<digest>
```
If your policy requires image signing (Notation/cosign), tell us—[email protected]—and we can coordinate delivering signed artifacts.

Vulnerability Scanning & SBOM

You may scan the pulled image with your standard toolchain (e.g., Trivy, Grype, Docker Scout):
```
trivy image --severity CRITICAL,HIGH synaccess.azurecr.io/syn-cloud:0.2.6
```
An SBOM can be generated locally with your approved tool (e.g., Syft) or requested from us.

Logging & Audit

Keep host logs for docker login/docker pull events per your retention policy.
On request, we can provide token issuance/rotation details for your audit trail.

Update Notifications

To be notified when a new image is available, email [email protected] and ask to be added to the Synaccess CMP update newsletter.

Example “Secure Pull” Block (drop-in)

# 1) Verify connectivity/DNS (optional)
nslookup synaccess.azurecr.io || true
curl -I https://synaccess.azurecr.io/v2/ || true

# 2) Login using stdin (no password in history)
echo '<TOKEN_PASSWORD>' | docker login synaccess.azurecr.io -u <TOKEN_USER> --password-stdin

# 3) Pull explicit version (recommended)
docker pull synaccess.azurecr.io/syn-cloud:0.2.6

# 4) Verify digest
docker inspect --format='{{index .RepoDigests 0}}' synaccess.azurecr.io/syn-cloud:0.2.6

# 5) (Optional) Logout when done on shared/bastion hosts
docker logout synaccess.azurecr.io