Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. It’s based on the open-source Docker Registry 2.0.

To learn more about Azure Container Registry, please check the official documentation here.

Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Vulnerability Assessment is one of the advanced protection that is included in Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) and Azure Defender which is something you must consider for scanning your private container images in Azure Container Registry.

In November 2019, the Azure Security Center team announced the ability to scan container images in Azure Container Registry, and then share the vulnerability recommendation on Azure Security Center. The vulnerability assessment solution is powered by Qualys with no additional configuration.

Prerequisites

To follow this article, you need to have the following:

1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2. Azure Security Center Azure Defender enabled. Please note that Azure Defender for container registries is required to scan your container images in the container registry. The price is calculated by the number of images you have in the registry which is ($0.29/image/month).
3. Azure Container Registry – If you don’t have one, you can follow the steps below to create one.

Create the Azure Container Registry

If you don’t have an Azure Container Registry (ACR) deployed in Azure, you can follow the steps below to create a new one.

In this example, I will use the Azure CLI and the Azure Cloud Shell to deploy a new ACR. Launch the Cloud Shell and then run the following set of commands:

#! Create a dedicated Resource Group for Azure Container Registry
az account set --subscription "SUBSCRIPTION-ID"
az group create --name rg-acr-asc-demo --location northeurope
#! Create Azure Container Registry with Basic SKU
#! The Basic SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.
#! For production deployment, you want to look at the 'Standard' and 'Premium' SKUs
az acr create --resource-group rg-acr-asc-demo --name acrascdemo --sku Basic

Once the Container Registry is deployed, you can get the details and then login with the following set of commands:

#! Get the details of an Azure Container Registry.
az acr show --name acrascdemo -o table
#! Login to Azure Container Registry az acr login --name acrascdemo

Enable Security Center for ACR

To enable scan for container images in Azure Security Center, this should be done at the subscription level:

1. Open Azure Portal and sign in with a user who has Security Admin privileges.
2. On the left navigation pane, click Security Center.
3. From Security Center’s sidebar, open the Pricing & settings page.
4. Select the desired subscription for which you want to enable scan for container images in Azure Container Registry.
5. Toggle the option for Container registries to ‘Enabled‘ as shown in the screenshot below and then click Save.

Now vulnerability scan for container images will be enabled on all Azure Container Registries connected to the selected subscription. As noted in the Pricing tier page, the first 30 days are free. This is a great opportunity to evaluate and try the vulnerability assessment for your private container images.

Simulate a scan for a vulnerable image

In this section, I will simulate a scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its high severity recommendation in Azure Security Center.

Assuming you already have Azure CLI and docker desktop installed on your machine, if not you can download and install it from here.

Now open PowerShell and run the following set of commands to push a vulnerable image from docker hub:

#! Login to Azure Container Registry

az acr login --name acrascdemo

#! Download vulnerable image from docker hub

docker pull vulnerables/web-dvwa

#! Check the image on your local repository

docker images "vulnerables/web-dvwa"

#! Tag the image that we pulled from the docker hub with your ACR Login URL (i.e. containerregistryname.azurecr.io). In this example, my Azure container registry name is (acrascdemo).

docker tag vulnerables/web-dvwa:latest acrascdemo.azurecr.io/vulnerables/web-dvwa:v2

#! Check the image again on your local repository and identify the new tag. In this example (v2).

docker images "*/vulnerables/web-dvwa:v2"

#! Finally, push the image to the container registry

docker push acrascdemo.azurecr.io/vulnerables/web-dvwa:v2

Once the image is pushed, you can check your ACR repository and validate that you have a new repository with a new image as shown in the figure below:

Get Insights about container images vulnerabilities

When the scan completes (typically after approximately 10 minutes, but it can take up to 30 minutes), Azure Security Center will update the security resource health, recommendations, and secure score. Security Center will find a new recommendation for the container registry under “Compute & apps” → “Containers” tab → Filter on “Resource type: Container registry” as shown in the screenshot below. In my example, I waited nearly 30 minutes for the recommendations list to show up.

The great thing about this integration, it will show you the ‘Category‘ and if there is a ‘Patch Available‘ to remediate this vulnerability as well.

Then if you click on any of the findings, you will see the ‘General information‘ with deep links to the related CVE number, ‘Remediation‘ details to take, ‘Additional information‘ from the vendor, in this case, Debian Linux, and the ‘Affected resources‘, which shows the Repository and the Container Registry. In this example, I have another vulnerable production image different than the one simulated above.

That’s it there you have it!

How image scanning works

The image scanning works by parsing through the packages or other dependencies defined in the container image file, then checking to see whether there are any known vulnerabilities in those packages or dependencies (powered by a Qualys vulnerability assessment Database). Qualys’s scanner is the leading tool for identifying vulnerabilities. The image is pulled from the registry. It’s then run in an isolated sandbox with the Qualys scanner that extracts a list of known vulnerabilities.

The following diagram is a great illustration of how Azure Security Center vulnerability scanning works, which then provide actionable recommendations for known vulnerabilities.

Image Credits: [Microsoft documentation]

Security Center filters and classifies findings from the scanner. When an image is healthy, Security Center marks it as such. Security Center generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, that reduce the potential for unwanted informational alerts.

The scan itself can be automatically triggered when pushing new container images to Azure Container Registry. Found vulnerabilities will surface as Security Center recommendations and included in the Azure Secure Score together with information on how to patch them to reduce the attack surface they allowed.

Please note that at the time of this writing, Security Center will scan the image(s) on a push to the container registry only. It does not do regular rescans of the image. I hope this additional security capability will be added in the future.

Summary

In this article, I showed you how to enable and scan your container images in Azure Container Registry by leveraging Azure Security Center vulnerability assessment capability (powered by Qualys), and then we looked at the security recommendations list provided by Security Center, so you can take corrective action to improve the security posture of your containerized environment and protect it from attacks.

As noted previously, the Azure Security Center scans images once they are pushed to ACR whether you are pushing the image using CI/CD in Azure DevOps or using the docker command-line. This is a great starting point. However, images with vulnerabilities or pending security recommendations can still be pulled and deployed, which is still a risk. The Container Registry team is actively working on the Quarantine feature for ACR, which puts all new Docker Images into Quarantine. Image quarantine is currently a preview feature of ACR. You can enable the quarantine mode of a registry so that only those images which have successfully passed security scan are visible to normal users. For more details, see the ACR GitHub repository on how to enable automatic image quarantine for a container registry.

Go to Geek Prank and try the online Windows XP simulator, play with the classic Minesweeper and Tetris games or listen to some music.