Azure Container Registry Scanning

Azure Container Registry Scanning

Implement ACR scanning with Azure Security Center integration:

# acr-scanning-automation.ps1

param(
    [Parameter(Mandatory=$true)]
    [string]$RegistryName,
    
    [Parameter(Mandatory=$true)]
    [string]$ResourceGroup,
    
    [Parameter(Mandatory=$false)]
    [string]$SubscriptionId
)

# Login to Azure
Connect-AzAccount -Subscription $SubscriptionId

# Function to enable Security Center for ACR
function Enable-ACRSecurityScanning {
    param($RegistryName, $ResourceGroup)
    
    # Enable Azure Defender for container registries
    Set-AzSecurityPricing -Name "ContainerRegistry" -PricingTier "Standard"
    
    # Configure scan on push
    $registry = Get-AzContainerRegistry -Name $RegistryName -ResourceGroupName $ResourceGroup
    $registry.Properties.policies.quarantinePolicy.status = "enabled"
    $registry | Set-AzContainerRegistry
    
    Write-Host "Security scanning enabled for $RegistryName"
}

# Function to scan all images
function Start-ACRImageScans {
    param($RegistryName, $ResourceGroup)
    
    # Get all repositories
    $repositories = Get-AzContainerRegistryRepository -RegistryName $RegistryName
    
    foreach ($repo in $repositories) {
        Write-Host "Scanning repository: $repo"
        
        # Get all tags
        $tags = Get-AzContainerRegistryTag -RegistryName $RegistryName -RepositoryName $repo
        
        foreach ($tag in $tags.Tags) {
            $imageName = "${repo}:${tag}"
            Write-Host "  Scanning $imageName"
            
            # Trigger scan using Azure CLI (PowerShell cmdlet not available)
            az acr task run `
                --registry $RegistryName `
                --cmd "mcr.microsoft.com/azure-cli az acr scan --registry $RegistryName --image $imageName" `
                /dev/null
        }
    }
}

# Function to get scan results
function Get-ACRScanResults {
    param($RegistryName, $ResourceGroup)
    
    $results = @()
    
    # Query Security Center for findings
    $query = @"
SecurityAlert
| where ResourceType == "Microsoft.ContainerRegistry/registries"
| where ResourceId contains "$RegistryName"
| where TimeGenerated > ago(24h)
| project TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps, ExtendedProperties
"@

    $findings = Search-AzGraph -Query $query
    
    foreach ($finding in $findings) {
        $properties = $finding.ExtendedProperties | ConvertFrom-Json
        
        $results += [PSCustomObject]@{
            Timestamp = $finding.TimeGenerated
            Repository = $properties.repository
            Tag = $properties.tag
            Severity = $finding.AlertSeverity
            Vulnerability = $finding.AlertName
            Description = $finding.Description
            Remediation = $finding.RemediationSteps
        }
    }
    
    return $results
}

# Function to create vulnerability report
function New-VulnerabilityReport {
    param($RegistryName, $ResourceGroup)
    
    $scanResults = Get-ACRScanResults -RegistryName $RegistryName -ResourceGroup $ResourceGroup
    
    $report = [PSCustomObject]@{
        Registry = $RegistryName
        ScanDate = Get-Date
        Summary = @{
            TotalFindings = $scanResults.Count
            Critical = ($scanResults | Where-Object Severity -eq "High").Count
            High = ($scanResults | Where-Object Severity -eq "Medium").Count
            Medium = ($scanResults | Where-Object Severity -eq "Low").Count
            Low = ($scanResults | Where-Object Severity -eq "Informational").Count
        }
        TopVulnerabilities = $scanResults | 
            Where-Object Severity -in @("High", "Medium") | 
            Select-Object -First 10
    }
    
    # Export report
    $report | ConvertTo-Json -Depth 10 | Out-File -FilePath "acr-vulnerability-report.json"
    
    # Send email alert if critical vulnerabilities found
    if ($report.Summary.Critical -gt 0) {
        Send-SecurityAlert -Report $report
    }
    
    return $report
}

# Main execution
Enable-ACRSecurityScanning -RegistryName $RegistryName -ResourceGroup $ResourceGroup
Start-ACRImageScans -RegistryName $RegistryName -ResourceGroup $ResourceGroup
$report = New-VulnerabilityReport -RegistryName $RegistryName -ResourceGroup $ResourceGroup

Write-Host "Scan complete. Found $($report.Summary.TotalFindings) vulnerabilities"