Portal rejects valid image digest references (@sha256:) with client-side validation error

[booooza]

This issue is a: (mark with an x)

• bug report -> please search issues before submitting
• documentation issue or request
• regression (a behavior that used to work and stopped in a new release)

Issue description

The Azure Portal UI rejects valid image digest references (@sha256:...) in the Container Apps image field with a client-side validation error, while the same reference deploys successfully via the Azure CLI.

Steps to reproduce

1. Open an existing Container App in the Azure Portal
2. Navigate to the container image settings
3. Enter a digest-based image reference, e.g. myorg/myimage@sha256:<digest>
4. Observe validation error:

Image name must be lowercase and include a tag separated by ':' (e.g. myregistry/myimage:latest). Only letters, digits, '.', '-', '_', and '/' are allowed.

Expected behavior
The Portal should accept digest references in the format registry/repository@sha256:<digest>.

Actual behavior
Client-side validation rejects @ characters in the digest. The same image deploys successfully via CLI (az version 2.85.0):

az containerapp update \
  --name <app> \
  --container-name <container> \
  --resource-group <rg> \
  --image ghcr.io/myorg/myimage@sha256:<digest>

Screenshots
N/A

[FlorentATo]

I was just about to report the same thing :)

Client-side validation rejects @ characters in the digest. The same image deploys successfully via CLI (az version 2.85.0):

Same is true with Terraform; I've been deploying Container Apps and Container App Jobs for months, only today I discovered that issue while messing with the portal.

At first, the portal indicates an general error with the container (which is confusing and misleading, in my opinion):

then, if you focus on the input field "Image and tag", then focus outside, the actual error message appears:

Please note that neither https://learn.microsoft.com/en-us/cli/azure/containerapp?view=azure-cli-latest or https://learn.microsoft.com/en-us/cli/azure/containerapp/job?view=azure-cli-latest mention the support for SHA256 digest in the image URL, despite working completely fine.

I also want to stress that including the digest value is not mentioned anywhere in the Containers Secure Supply Chain Framework documentation, which is truly surprising to me.

However, using the digest to tightly validate the container image is mentioned in the tutorial "Sign container images by using Notation, Azure Key Vault, and a self-signed certificate":

Build and push a new image by using Azure Container Registry tasks. Always use the digest value to identify the image for signing, because tags are mutable and can be overwritten.

[simonjj]

Confirmed — the Portal's client-side validation regex for the image field doesn't account for digest references (@sha256:). This works fine via CLI and Terraform, so the issue is purely in the Portal UI validation.

Routing to the Portal team. In the meantime, CLI and IaC (Bicep/Terraform) work correctly with digest references.