Scan Container Images in Azure Container Registry with Azure Security Center

7 min read

In this article, I will walk you through how to enable and scan your container images in Azure Container Registry (ACR) with Azure Security Center, and then simulate a scan for a vulnerable container image.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It’s based on the open-source Docker Registry 2.0.

To learn more about Azure Container Registry, please check the official documentation here.

Vulnerability Assessment is one of the advanced protection that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) and Azure Defender which is something you must consider for scanning your private container images in Azure Container Registry.

In November 2019, the Azure Security Center team announced the ability to scan container images in Azure Container Registry, and then share the vulnerability recommendation on Azure Security Center. The vulnerability assessment solution is powered by Qualys with no additional configuration.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center Azure Defender enabled. Please note that the standard tier is required to leverage scan container images for Container Registries. The price is calculated by the number of images you have in the registry which is ($0.29/image/month).
  3. Azure Container Registry – If you don’t have one, you can follow the steps below to create one.

Create the Azure Container Registry

If you don’t have an Azure Container Registry (ACR) deployed in Azure, you can follow the steps below to create a new one.

In this example, I will use the Azure CLI and the Azure Cloud Shell to deploy a new ACR. Launch the Cloud Shell and then run the following set of commands:

#! Create a dedicated Resource Group for Azure Container Registry
az account set --subscription "SUBSCRIPTION-ID"
az group create --name rg-acr-asc-demo --location northeurope

#! Create Azure Container Registry with Basic SKU
#! The Basic SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.
#! For production deployment, you want to look at the 'Standard' and 'Premium' SKUs
az acr create --resource-group rg-acr-asc-demo --name acrascdemo --sku Basic

Once the Container Registry is deployed, you can get the details and then login with the following set of commands:

#! Get the details of an Azure Container Registry.
az acr show --name acrascdemo -o table

#! Login to Azure Container Registry az acr login --name acrascdemo

Scan Container Images in Azure Container Registry with Azure Security Center 1

Enable Security Center for ACR

To enable scan for container images in Azure Security Center, this should be done at the subscription level:

  1. Open Azure Portal and sign in with a user who has Security Admin privileges.
  2. On the left navigation pane, click Security Center.
  3. From Security Center’s sidebar, open the Pricing & settings page.
  4. Select the desired subscription for which you want to enable scan for container images in Azure Container Registry.
  5. Toggle the option for Container registries to ‘Enabled‘ as shown in the screenshot below and then click Save.

Scan Container Images in Azure Container Registry with Azure Security Center 2

Now vulnerability scan for container images will be enabled on all Azure Container Registries connected to the selected subscription. As noted in the Pricing tier page, the first 30 days are free. This is a great opportunity to evaluate and try the vulnerability assessment for your private container images.

Simulate a scan for a vulnerable image

In this section, I will simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its high severity recommendation in Azure Security Center.

Assuming you already have Azure CLI and docker desktop installed on your machine, if not you can download and install it from here.

Now open PowerShell and run the following set of commands to push a vulnerable image from docker hub:

#! Login to Azure Container Registry

az acr login --name acrascdemo

#! Download vulnerable image from docker hub

docker pull vulnerables/web-dvwa

#! Check the image on your local repository

docker images "vulnerables/web-dvwa"

Scan Container Images in Azure Container Registry with Azure Security Center 3

#! Tag the image that we pulled from the docker hub with your ACR Login URL (i.e. containerregistryname.azurecr.io). In this example, my Azure container registry name is (acrascdemo).

docker tag vulnerables/web-dvwa:latest acrascdemo.azurecr.io/vulnerables/web-dvwa:v2

#! Check the image again on your local repository and identify the new tag. In this example (v2).

docker images "*/vulnerables/web-dvwa:v2"

Scan Container Images in Azure Container Registry with Azure Security Center 4

#! Finally, push the image to the container registry

docker push acrascdemo.azurecr.io/vulnerables/web-dvwa:v2

Scan Container Images in Azure Container Registry with Azure Security Center 5

Once the image is pushed, you can check your ACR repository and validate that you have a new repository with a new image as shown in the figure below:

Scan Container Images in Azure Container Registry with Azure Security Center 6

 

Get Insights about container images vulnerabilities

When the scan completes (typically after approximately 10 minutes, but it can take up to 30 minutes), Azure Security Center will update the security resource health, recommendations, and secure score. Security Center will find a new recommendation for the container registry under “Compute & apps” → “Containers” tab → Filter on “Resource type: Container registry” as shown in the screenshot below. In my example, I waited nearly 30 minutes for the recommendations list to show up.

Scan Container Images in Azure Container Registry with Azure Security Center 7

The great thing about this integration, it will show you the ‘Category‘ and if there is a ‘Patch Available‘ to remediate this vulnerability as well.

Scan Container Images in Azure Container Registry with Azure Security Center 8

Then if you click on any of the findings, you will see the ‘General information‘ with deep links to the related CVE number, ‘Remediation‘ details to take, ‘Additional information‘ from the vendor, in this case, Debian Linux, and the ‘Affected resources‘, which shows the Repository and the Container Registry. In this example, I have another vulnerable production image different than the one simulated above.

Scan Container Images in Azure Container Registry with Azure Security Center 9

That’s it there you have it!

How image scanning works

The image scanning works by parsing through the packages or other dependencies defined in the container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies (powered by a Qualys vulnerability assessment Database). Qualys’s scanner is the leading tool for identifying vulnerabilities. The image is pulled from the registry. It’s then run in an isolated sandbox with the Qualys scanner that extracts a list of known vulnerabilities.

The following diagram is a great illustration of how Azure Security Center vulnerability scanning works, which then provide actionable recommendations for known vulnerabilities.

Scan Container Images in Azure Container Registry with Azure Security Center 10

Image Credits: [Microsoft documentation]

Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, that reduce the potential for unwanted informational alerts.

The scan itself can be automatically triggered when pushing new container images to Azure Container Registry. Found vulnerabilities will surface as Security Center recommendations and included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.

Please note that at the time of this writing, Security Center will scan the image(s) on a push to the container registry only. It does not do regular rescans of the image. I hope this additional security capability will be added in the future.

Summary

In this article, I showed you how to enable and scan your container images in Azure Container Registry by leveraging Azure Security Center vulnerability assessment capability (powered by Qualys), and then we looked at the security recommendations list provided by Security Center, so you can take corrective action to improve the security posture of your containerized environment and protect it from attacks.

As noted previously, the Azure Security Center scans images once they are pushed to ACR whether you are pushing the image using CI/CD in Azure DevOps or using the docker command-line. This is a great starting point. However, images with vulnerabilities or pending security recommendations can still be pulled and deployed, which is still a risk. The Container Registry team is actively working on the Quarantine feature for ACR, which puts all new Docker Images into Quarantine. Image quarantine is currently a preview feature of ACR. You can enable the quarantine mode of a registry so that only those images which have successfully passed security scan are visible to normal users. For more details, see the ACR GitHub repository on how to enable automatic image quarantine for a container registry.

There’s more…

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

About Charbel Nemnom 576 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.