Skip to content

Scan ACR container images#

Security · Container Registry · Azure.ACR.ContainerScan

Enable vulnerability scanning for container images.

Description#

A potential risk with container-based workloads is un-patched security vulnerabilities in:

  • Operating System base images.
  • Frameworks and runtime dependencies used by application code.

It is important to adopt a strategy to actively scan images for security vulnerabilities. One option for scanning container images is to use Azure Defender for container registries. Azure Defender uses Qualys to scan images each time a container image is pushed to the registry.

Azure Defender scans container images on push, on import, and recently pulled images. Recently pulled images are scanned on a regular basis when they have been pulled within the last 30 days. When scanned, Azure Defender pulls and runs the container image in an isolated sandbox for scanning. Any detected vulnerabilities are reported to Security Center.

Container image vulnerability scanning with Azure Defender:

  • Is currently only available for Linux-hosted ACR registries.
  • The container registry must be accessible by Azure Defender. Network access can not be restricted by firewall, Service Endpoints, or Private Endpoints.
  • Is supported in commercial clouds. Is not currently supported in sovereign or national clouds (e.g. US Gov, China Gov, etc.).

Recommendation#

Consider using Azure Defender to scan for security vulnerabilities in container images.

Examples#

Enable with Azure CLI#

az security pricing create -n 'ContainerRegistry' --tier 'standard'

Enable with Azure PowerShell#

Set-AzSecurityPricing -Name 'ContainerRegistry' -PricingTier 'Standard'

Notes#

This rule applies when analyzing resources deployed to Azure.


Last update: 2021-09-24