If like me you are using Azure Container Registry (ACR) to store your container images you may want to scan them for vulnerabilities. Now you can thanks to the Azure Security center standard tier. In this blog post, I will show you how to go about setting up your Azure Security center to Scan your images. But first, lets have a look at how this all works.
How does it works?
So, how does this work, well basically once you enable this via Azure security center and push an image to your registry a webhook is used to let Azure security center know to kick off a vulnerability scan. This will then use Qualys to do the scanning. At the time of writing, only Linux containers are supported. Hopefully, windows containers will come soon.
Below is an image from the Microsoft docs site that might help explain it better.
Enough how to, lets get to it.
As you probably know Azure Security center can cost a bit, but luckily you can pick and choose the bits you would like to move to the standard tier. To just enable ACR image scanning follow the steps below.
First in the Azure portal go to the Security center. In here click Coverage it’s on the left under Policy & Compliance.
Now click on Edit Plan next to the subscription that has your ACR.
Now, If you have not enabled the Standard plan before you will need to by clicking the big Standard Button. Then you will need to Disable all of the Plans apart from Container Registries. You should have something like the image below.
All you have to do now is click Save at the top left of the screen.
Warning
You will be charged $0.29 per image.
Awesome, so you have now enabled it!
But unfortunately, it will not scan existing images, so you will have to push a new image and wait around 10 minutes. You can view a previous blog post on how to do that. https://pixelrobots.co.uk/2019/03/create-an-azure-container-registry-and-allow-aks-access/
Check the results
If you go back to the overview of the Security center and then click Compute & apps under Resource Security Hygiene. In here click on Containers.
In here you will see your container registries. Mines called pixelacr. And as you can see its all green.
Click on it to dive deeper. In here you will see any recommendations, passed assessments and any unavailable assessments. Have a look around to see what is there.
All in all
Above I have shown you how to use Azure Security center to scan for vulnerabilities in your container images. At the moment this only works on a push of an image. I would like to see it scanning on a schedule as I am sure your aware vulnerabilities can crop up at any time. But until then this along with scanning on container image build https://pixelrobots.co.uk/2020/02/use-trivy-and-azure-devops-to-scan-container-images-for-vulnerabilities/ should help keep you secure.