In this article, I will walk you through how to enable and scan your container images in Azure Container Registry (ACR) with Azure Security Center, and then simulate a scan for a vulnerable container image.
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:
- Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
- Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It’s based on the open-source Docker Registry 2.0.
To learn more about Azure Container Registry, please check the official documentation here.
Vulnerability Assessment is one of many features that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) which is something you must consider for scanning your private container images in Azure Container Registry.
In November 2019, the Azure Security Center team announced the ability to scan container images in Azure Container Registry, and then share the vulnerability recommendation on Azure Security Center. The vulnerability assessment solution is powered by Qualys with no additional configuration.
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- Azure Security Center Standard tier enabled. Please note that the standard tier is required to leverage scan container images for Container Registries. The price is calculated by the number of images you have in the registry which is ($0.29/image/month).
- Azure Container Registry – If you don’t have one, you can follow the steps below to create one.
Create the Azure Container Registry
If you don’t have an Azure Container Registry (ACR) deployed in Azure, you can follow the steps below to create a new one.
#! Create a dedicated Resource Group for Azure Container Registry az account set --subscription "SUBSCRIPTION-ID" az group create --name rg-acr-asc-demo --location northeurope #! Create Azure Container Registry with Basic SKU #! The Basic SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput. #! For production deployment, you want to look at the 'Standard' and 'Premium' SKUs az acr create --resource-group rg-acr-asc-demo --name acrascdemo --sku Basic
Once the Container Registry is deployed, you can get the details and then login with the following set of commands:
#! Get the details of an Azure Container Registry. az acr show --name acrascdemo -o table #! Login to Azure Container Registry az acr login --name acrascdemo
Enable Security Center for ACR
To enable scan for container images in Azure Security Center, this should be done at the subscription level:
- Open Azure Portal and sign in with a user who has Security Admin privileges.
- On the left navigation pane, click Security Center.
- From Security Center’s sidebar, open the Pricing & settings page.
- Select the desired subscription for which you want to enable scan for container images in Azure Container Registry.
- Toggle the option for Container registries to ‘Enabled‘ as shown in the screenshot below and then click Save.
Now vulnerability scan for container images will be enabled on all Azure Container Registries connected to the selected subscription. As noted in the Pricing tier page, the first 30 days are free. This is a great opportunity to evaluate and try the vulnerability assessment for your private container images.
Simulate a scan for a vulnerable image
In this section, I will simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its high severity recommendation in Azure Security Center.
Now open PowerShell and run the following set of commands to push a vulnerable image from docker hub:
#! Login to Azure Container Registry
az acr login --name acrascdemo
#! Download vulnerable image from docker hub
docker pull vulnerables/web-dvwa
#! Check the image on your local repository
docker images "vulnerables/web-dvwa"
#! Tag the image that we pulled from the docker hub with your ACR Login URL (i.e. containerregistryname.azurecr.io). In this example, my Azure container registry name is (acrascdemo).
docker tag vulnerables/web-dvwa:latest acrascdemo.azurecr.io/vulnerables/web-dvwa:v2
#! Check the image again on your local repository and identify the new tag. In this example (v2).
docker images "*/vulnerables/web-dvwa:v2"
#! Finally, push the image to the container registry
docker push acrascdemo.azurecr.io/vulnerables/web-dvwa:v2
Once the image is pushed, you can check your ACR repository and validate that you have a new repository with a new image as shown in the figure below:
Get Insights about container images vulnerabilities
When the scan completes (typically after approximately 10 minutes, but it can take up to 30 minutes), Azure Security Center will update the security resource health, recommendations, and secure score. Security Center will find a new recommendation for the container registry under “Compute & apps” → “Containers” tab → Filter on “Resource type: Container registry” as shown in the screenshot below. In my example, I waited nearly 30 minutes for the recommendations list to show up.
The great thing about this integration, it will show you the ‘Category‘ and if there is a ‘Patch Available‘ to remediate this vulnerability as well.
Then if you click on any of the findings, you will see the ‘General information‘ with deep links to the related CVE number, ‘Remediation‘ details to take, ‘Additional information‘ from the vendor, in this case, Debian Linux, and the ‘Affected resources‘, which shows the Repository and the Container Registry. In this example, I have another vulnerable production image different than the one simulated above.
That’s it there you have it!
How image scanning works
The image scanning works by parsing through the packages or other dependencies defined in the container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies (powered by a Qualys vulnerability assessment Database). Qualys’s scanner is the leading tool for identifying vulnerabilities. The image is pulled from the registry. It’s then run in an isolated sandbox with the Qualys scanner that extracts a list of known vulnerabilities.
The following diagram is a great illustration of how Azure Security Center vulnerability scanning works, which then provide actionable recommendations for known vulnerabilities.
Image Credits: [Microsoft documentation]
Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, that reduce the potential for unwanted informational alerts.
The scan itself can be automatically triggered when pushing new container images to Azure Container Registry. Found vulnerabilities will surface as Security Center recommendations and included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.
Please note that at the time of this writing, Security Center will scan the image(s) on a push to the container registry only. It does not do regular rescans of the image. I hope this additional security capability will be added in the future.
In this article, I showed you how to enable and scan your container images in Azure Container Registry by leveraging Azure Security Center vulnerability assessment capability (powered by Qualys), and then we looked at the security recommendations list provided by Security Center, so you can take corrective action to improve the security posture of your containerized environment and protect it from attacks.
As noted previously, the Azure Security Center scans images once they are pushed to ACR whether you are pushing the image using CI/CD in Azure DevOps or using the docker command-line. This is a great starting point. However, images with vulnerabilities or pending security recommendations can still be pulled and deployed, which is still a risk. The Container Registry team is actively working on the Quarantine feature for ACR, which puts all new Docker Images into Quarantine. Image quarantine is currently a preview feature of ACR. You can enable the quarantine mode of a registry so that only those images which have successfully passed security scan are visible to normal users. For more details, see the ACR GitHub repository on how to enable automatic image quarantine for a container registry.
Additional resources I highly encourage you to check:
- Workflow automation in Azure Security Center to automate your security operations.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Azure Container Registry integration with Azure Security Center.
- Check how to protect Azure Kubernetes Service (AKS) with Azure Security Center.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.