Updated – 13/04/2021 – Azure Security Center triggers three scans for the images in Azure Container Registry. Please check the following section for more details.
In this article, I will walk you through how to enable and scan your container images in Azure Container Registry (ACR) with Azure Security Center (Azure Defender), and then simulate a scan for a vulnerable container image.
In This Article
Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value propositions:
- Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
- Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It’s based on the open-source Docker Registry 2.0.
To learn more about Azure Container Registry, please check the official documentation here.
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
- Azure Defender for Azure DNS
- Azure Defender for Resource Manager
Unlike other Azure Defender plans, Azure Defender for Container Registries will not create security alerts based on Azure Defender’s threat intelligence. It will rather inform you about vulnerable container images that are found in your registry by creating a recommendation in the Remediate Vulnerabilities Security Control.
Vulnerability Assessment is one of the advanced protection that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) and Azure Defender which is something you must consider for scanning your private container images in Azure Container Registry.
In November 2019, the Azure Security Center team announced the ability to scan container images in Azure Container Registry, and then share the vulnerability recommendation on Azure Security Center. The vulnerability assessment solution is powered by Qualys with no additional configuration.
To follow this article, you need to have the following:
- Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
- Azure Security Center Azure Defender enabled. Please note that Azure Defender for container registries is required to scan your container images in the container registry. The price is calculated by the number of images you have in the registry which is ($0.29/image/month).
- Azure Container Registry – If you don’t have one, you can follow the steps below to create one.
At the time of this writing, Azure Defender for container registries can scan Linux container images only in an Azure Container Registry, which is accessible from the internet with shell access. Please check the availability documentation here to see when Windows images will be supported.
Create the Azure Container Registry
If you don’t have an Azure Container Registry (ACR) deployed in Azure, you can follow the steps below to create a new one.
#! Create a dedicated Resource Group for Azure Container Registry az account set --subscription "SUBSCRIPTION-ID" az group create --name rg-acr-asc-demo --location northeurope #! Create Azure Container Registry with Basic SKU #! The Basic SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput. #! For production deployment, you want to look at the 'Standard' and 'Premium' SKUs az acr create --resource-group rg-acr-asc-demo --name acrascdemo --sku Basic
Once the Container Registry is deployed, you can get the details and then log in with the following set of commands:
#! Get the details of an Azure Container Registry. az acr show --name acrascdemo -o table #! Login to Azure Container Registry az acr login --name acrascdemo
Enable Security Center for ACR
To enable scan for container images in Azure Security Center, this should be done at the subscription level:
- Open Azure Portal and sign in with a user who has Security Admin privileges.
- On the left navigation pane, click Security Center.
- From Security Center’s sidebar, open the Pricing & settings page.
- Select the desired subscription for which you want to enable scan for container images in Azure Container Registry.
- Toggle the option for Container registries to ‘Enabled‘ as shown in the screenshot below and then click Save.
Now vulnerability scan for container images will be enabled on all Azure Container Registries connected to the selected subscription. As noted on the Pricing tier page, the first 30 days are free. This is a great opportunity to evaluate and try the vulnerability assessment for your private container images.
Simulate a scan for a vulnerable image
In this section, I will simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its high severity recommendation in Azure Security Center.
Now open PowerShell and run the following set of commands to push a vulnerable image from the docker hub:
#! Login to Azure Container Registry
az acr login --name acrascdemo
#! Download vulnerable image from docker hub
docker pull vulnerables/web-dvwa
#! Check the image on your local repository
docker images "vulnerables/web-dvwa"
#! Tag the image that we pulled from the docker hub with your ACR Login URL (i.e. containerregistryname.azurecr.io). In this example, my Azure container registry name is (acrascdemo).
docker tag vulnerables/web-dvwa:latest acrascdemo.azurecr.io/vulnerables/web-dvwa:v2
#! Check the image again on your local repository and identify the new tag. In this example (v2).
docker images "*/vulnerables/web-dvwa:v2"
#! Finally, push the image to the container registry
docker push acrascdemo.azurecr.io/vulnerables/web-dvwa:v2
Once the image is pushed, you can check your ACR repository and validate that you have a new repository with a new image as shown in the figure below:
Get Insights about container images vulnerabilities
When the scan completes (typically after approximately 10 minutes, but it can take up to 30 minutes), Azure Security Center will update the security resource health, recommendations, and secure score. Security Center will find a new recommendation for the container registry under the “Compute & apps” → “Containers” tab → Filter on “Resource type: Container registry” as shown in the screenshot below. In my example, I waited nearly 30 minutes for the recommendations list to show up.
The great thing about this integration, it will show you the ‘Category‘ and if there is a ‘Patch Available‘ to remediate this vulnerability as well.
Then if you click on any of the findings, you will see the ‘General information‘ with deep links to the related CVE number, ‘Remediation‘ details to take, ‘Additional information‘ from the vendor, in this case, Debian Linux, and the ‘Affected resources‘, which shows the Repository and the Container Registry. In this example, I have another vulnerable production image different than the one simulated above.
How image scanning works
The image scanning works by parsing through the packages or other dependencies defined in the container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies (powered by a Qualys vulnerability assessment Database). Qualys’s scanner is the leading tool for identifying vulnerabilities. The image is pulled from the registry. It’s then run in an isolated sandbox with the Qualys scanner that extracts a list of known vulnerabilities.
The following diagram is a great illustration of how Azure Security Center vulnerability scanning works, which then provides actionable recommendations for known vulnerabilities.
Image Credit: [Microsoft documentation]
Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, that reduce the potential for unwanted informational alerts.
The scan itself can be automatically triggered when pushing new container images to Azure Container Registry. Found vulnerabilities will surface as Security Center recommendations and be included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.
Please note that at the time of this writing, Security Center will scan the image(s) on a push to the container registry only. It does not do regular rescans of the image. I hope this additional security capability will be added in the future.
Updated – 13/04/2021 – Azure Security Center triggers three scans for the images as follows:
- On push – Whenever an image is pushed to your registry, Security Center automatically scans that image. To trigger the scan of an image, push it to your repository.
- Recently pulled – Since new vulnerabilities are discovered every day, Azure Defender for container registries also scans, on a weekly basis, any image that has been pulled within the last 30 days. There’s no additional charge for these rescans; you’re billed once per image.
- On import – Azure Container Registry has import tools to bring images to your registry from Docker Hub, Microsoft Container Registry, or another Azure container registry. Azure Defender for container registries scans any supported images you import.
That’s it there you have it!
In this article, I showed you how to enable and scan your container images in Azure Container Registry by leveraging Azure Security Center vulnerability assessment capability (powered by Qualys), and then we looked at the security recommendations list provided by Security Center, so you can take corrective action to improve the security posture of your containerized environment and protect it from attacks.
As noted previously, the Azure Security Center scans images once they are pushed to ACR whether you are pushing the image using CI/CD in Azure DevOps or using the docker command-line. This is a great starting point. However, images with vulnerabilities or pending security recommendations can still be pulled and deployed, which is still a risk. The Container Registry team is actively working on the Quarantine feature for ACR, which puts all new Docker Images into Quarantine. Image quarantine is currently a preview feature of ACR. You can enable the quarantine mode of a registry so that only those images which have successfully passed security scan are visible to normal users. For more details, see the ACR GitHub repository on how to enable automatic image quarantine for a container registry.
Additional resources I highly encourage you to check:
- Workflow automation in Azure Security Center to automate your security operations.
- Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
- Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
- Learn more about Azure Container Registry integration with Azure Security Center.
- Check how to protect Azure Kubernetes Service (AKS) with Azure Security Center.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.