Docker.image() restrict acceptable image references

Is there a way to limit access to certain, deemed unacceptable/insecure, images with docker.image() DSL, preferably through some regexes list passed in CasC? I’m looking for a way to limit our users’ access to certain images, the references of which (tag/hash) have been checked by security specialists and deemed unacceptable for use in build processes for one reason or another. I have a set/list of regexes for such images, but I haven’t found yet any way to set them as a kind of blocklist for the aforementioned docker.image() method in the docker plugins’ documentation.
If there’s no such configuration option, how can I overwrite this method from docker global variable reference to introduce such filtering?

Jenkins setup:

Jenkins: 2.462.3
OS: Linux - 5.14.0-427.16.1.el9_4.x86_64
Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Office-365-Connector:4.22.0
analysis-model-api:12.9.0
ansicolor:1.0.5
ant:511.v0a_a_1a_334f41b_
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-118.v199115451c4d
artifactory:4.0.8
asm-api:9.7.1-95.v9f552033802a_
audit-trail:361.v82cde86c784e
authentication-tokens:1.119.v50285141b_7e1
badge:2.2
basic-branch-build-strategies:81.v05e333931c7d
bitbucket-filter-project-trait:1.0
bitbucket-oauth:0.13
bitbucket-scm-filter-aged-refs:47.v5450b_74d684c
bitbucket-scm-filter-jira-validator:0.1.0
bitbucket-scm-trait-commit-skip:0.4.0
blueocean:1.27.16
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.16
blueocean-commons:1.27.16
blueocean-config:1.27.16
blueocean-core-js:1.27.16
blueocean-dashboard:1.27.16
blueocean-display-url:2.4.3
blueocean-events:1.27.16
blueocean-git-pipeline:1.27.16
blueocean-github-pipeline:1.27.16
blueocean-i18n:1.27.16
blueocean-jira:1.27.16
blueocean-jwt:1.27.16
blueocean-personalization:1.27.16
blueocean-pipeline-api-impl:1.27.16
blueocean-pipeline-editor:1.27.16
blueocean-pipeline-scm-api:1.27.16
blueocean-rest:1.27.16
blueocean-rest-impl:1.27.16
blueocean-web:1.27.16
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
build-timestamp:1.0.3
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-bitbucket-branch-source:888.v8e6d479a_1730
cloudbees-disk-usage-simple:205.v47f4ee8803d1
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:115.vd8b_301cc15d0
commons-compress-api:1.26.1-2
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
config-file-provider:978.v8e85886ffdc4
configuration-as-code:1850.va_a_8c31d3158b_
conventional-commits:0.11.2
credentials:1384.vf0a_2ed06f9c6
credentials-binding:681.vf91669a_32e45
data-tables-api:2.1.8-1
dependency-track:5.1.0
display-url-api:2.204.vf6fddd8a_8b_e9
docker-commons:443.v921729d5611d
docker-workflow:580.vc0c340686b_54
dtkit-api:3.0.2
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-1
eddsa-api:0.3.0-4.v84c6f0f4969e
extended-read-permission:53.v6499940139e5
favorite:2.221.v19ca_666b_62f5
flatpickr-api:4.6.13-5.v534d8025a_a_59
font-awesome-api:6.6.0-2
forensics-api:2.6.0
git:5.5.2
git-changelog:3.39
git-client:5.0.0
github:1.40.0
github-api:1.321-468.v6a_9f5f2d5a_7e
github-branch-source:1797.v86fdb_4d57d43
google-compute-engine:4.575.v6969b_7c435eb_
google-login:109.v022b_cf87b_e5b_
google-metadata-plugin:0.5
google-oauth-plugin:1.330.vf5e86021cb_ec
google-source-plugin:0.4
gradle:2.13.1
groovy-postbuild:264.vf6e02a_77d5b_c
gson-api:2.11.0-41.v019fcf6125dc
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
htmlpublisher:1.36
influxdb:3.7
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:280.v050b_5c849f69
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-design-language:1.27.16
jersey2-api:2.44-151.v6df377fff741
jfrog:1.5.5
jira:3.13
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
job-dsl:1.89
joda-time-api:2.13.0-85.vb_64d1c2921f1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1304.vc85a_b_ca_96613
kafkalogs:0.1.8
kerberos-sso:1.11
lockable-resources:1315.v4ea_8e5159ec8
mailer:488.v0c9639c1a_eb_3
matrix-auth:3.2.2
matrix-project:839.vff91cd7e3a_b_2
maven-plugin:3.23
mercurial:1260.vdfb_723cdcc81
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.14.0-133.vcc091215a_358
mina-sshd-api-core:2.14.0-133.vcc091215a_358
multibranch-action-triggers:1.8.10
oauth-credentials:0.653.v14cf2088e950
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
parameter-separator:166.vd0120849b_386
people-view:1.2
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:740.va_2701257fe8d
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-stage-view:2.34
pipeline-utility-steps:2.18.0
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
prism-api:1.29.0-17
prometheus:787.v52e8f47488fc
pubsub-light:1.18
robot:4.0.0
role-strategy:743.v142ea_b_d5f1d3
run-condition:1.7
schedule-build:577.v0613c45b_9eef
scm-api:696.v778d637b_a_762
script-security:1362.v67dc1f0e1b_b_3
simple-theme-plugin:196.v96d9592f4efa_
snakeyaml-api:2.3-123.v13484c65210a_
sonar:2.17.2
sse-gateway:1.27
ssh-agent:376.v8933585c69d3
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
sshd:3.330.vc866a_8389b_58
stash-pullrequest-builder:1.17
structs:338.v848422169819
support-core:1511.v3f5cc9b_a_ff55
tap:2.4.3
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
warnings-ng:11.9.0
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3969.vdc9d3a_efcc6a_
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:926.v9f4f9b_b_98c19
xunit:3.1.5

Welcome back, @mkarwin_atos. :wave:

Wouldn’t a custom Groovy script that overrides the docker.image() method to include a check against a list of regex patterns work?
I think this script could be loaded into Jenkins using the init.groovy.d directory. :thinking: