Azure Container Registry Scanning
Azure Container Registry Scanning
Implement ACR scanning with Azure Security Center integration:
# acr-scanning-automation.ps1
param(
[Parameter(Mandatory=$true)]
[string]$RegistryName,
[Parameter(Mandatory=$true)]
[string]$ResourceGroup,
[Parameter(Mandatory=$false)]
[string]$SubscriptionId
)
# Login to Azure
Connect-AzAccount -Subscription $SubscriptionId
# Function to enable Security Center for ACR
function Enable-ACRSecurityScanning {
param($RegistryName, $ResourceGroup)
# Enable Azure Defender for container registries
Set-AzSecurityPricing -Name "ContainerRegistry" -PricingTier "Standard"
# Configure scan on push
$registry = Get-AzContainerRegistry -Name $RegistryName -ResourceGroupName $ResourceGroup
$registry.Properties.policies.quarantinePolicy.status = "enabled"
$registry | Set-AzContainerRegistry
Write-Host "Security scanning enabled for $RegistryName"
}
# Function to scan all images
function Start-ACRImageScans {
param($RegistryName, $ResourceGroup)
# Get all repositories
$repositories = Get-AzContainerRegistryRepository -RegistryName $RegistryName
foreach ($repo in $repositories) {
Write-Host "Scanning repository: $repo"
# Get all tags
$tags = Get-AzContainerRegistryTag -RegistryName $RegistryName -RepositoryName $repo
foreach ($tag in $tags.Tags) {
$imageName = "${repo}:${tag}"
Write-Host " Scanning $imageName"
# Trigger scan using Azure CLI (PowerShell cmdlet not available)
az acr task run `
--registry $RegistryName `
--cmd "mcr.microsoft.com/azure-cli az acr scan --registry $RegistryName --image $imageName" `
/dev/null
}
}
}
# Function to get scan results
function Get-ACRScanResults {
param($RegistryName, $ResourceGroup)
$results = @()
# Query Security Center for findings
$query = @"
SecurityAlert
| where ResourceType == "Microsoft.ContainerRegistry/registries"
| where ResourceId contains "$RegistryName"
| where TimeGenerated > ago(24h)
| project TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps, ExtendedProperties
"@
$findings = Search-AzGraph -Query $query
foreach ($finding in $findings) {
$properties = $finding.ExtendedProperties | ConvertFrom-Json
$results += [PSCustomObject]@{
Timestamp = $finding.TimeGenerated
Repository = $properties.repository
Tag = $properties.tag
Severity = $finding.AlertSeverity
Vulnerability = $finding.AlertName
Description = $finding.Description
Remediation = $finding.RemediationSteps
}
}
return $results
}
# Function to create vulnerability report
function New-VulnerabilityReport {
param($RegistryName, $ResourceGroup)
$scanResults = Get-ACRScanResults -RegistryName $RegistryName -ResourceGroup $ResourceGroup
$report = [PSCustomObject]@{
Registry = $RegistryName
ScanDate = Get-Date
Summary = @{
TotalFindings = $scanResults.Count
Critical = ($scanResults | Where-Object Severity -eq "High").Count
High = ($scanResults | Where-Object Severity -eq "Medium").Count
Medium = ($scanResults | Where-Object Severity -eq "Low").Count
Low = ($scanResults | Where-Object Severity -eq "Informational").Count
}
TopVulnerabilities = $scanResults |
Where-Object Severity -in @("High", "Medium") |
Select-Object -First 10
}
# Export report
$report | ConvertTo-Json -Depth 10 | Out-File -FilePath "acr-vulnerability-report.json"
# Send email alert if critical vulnerabilities found
if ($report.Summary.Critical -gt 0) {
Send-SecurityAlert -Report $report
}
return $report
}
# Main execution
Enable-ACRSecurityScanning -RegistryName $RegistryName -ResourceGroup $ResourceGroup
Start-ACRImageScans -RegistryName $RegistryName -ResourceGroup $ResourceGroup
$report = New-VulnerabilityReport -RegistryName $RegistryName -ResourceGroup $ResourceGroup
Write-Host "Scan complete. Found $($report.Summary.TotalFindings) vulnerabilities"