With the release of image scanning using Azure Defender for container registries, we received enormous interest in findings among wide audiences including traditional ASC admins along with repository owners and DevOps personnel.
One of the biggest challenges that was raised by these audiences was how to use the Defender scanning capability in their integration and deployment processes to ensure only scanned and healthy images reach the production environments.
By embedding Azure Defender for container registries assessments into your CI/CD pipeline, you can address this need and have a more secure automation and deployment processes in enterprise environments.
This blog will take you through a few simple steps to take your CI/CD pipeline to the next security level.
When you enable Security Center's optional Azure Defender for container registries advanced security plan, the images in your container registries are scanned for vulnerabilities.
There are multiple triggers for an image scan, such as On push, On import and Recently pulled.
Security Center pulls and scans the image in an isolated sandbox. It is then extracts, filters and classifies the findings, and presents them as actionable security recommendations.
Each finding Security Center published for an image is represented as a Container Registry Vulnerability Sub Assessment.
Extract scan summary using API:
Scan summaries are available in Security Center dashboards. You can also access them programmatically (through our API or PowerShell) using
| where type == 'microsoft.security/assessments/subassessments'
| where id matches regex '(.+?)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
| parse id with registryResourceId '/providers/Microsoft.Security/assessments/' *
| parse registryResourceId with * "/providers/Microsoft.ContainerRegistry/registries/" registryName
| extend imageDigest = tostring(properties.additionalData.imageDigest)
| extend repository = tostring(properties.additionalData.repositoryName)
| extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
| summarize scanFindingSeverityCount = count() by scanFindingSeverity, scanStatus, registryResourceId, registryName, repository, imageDigest
| summarize severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryName, repository, imageDigest, scanStatus
You can also filter results to get summary for a specific image or registry by adding
it to the bottom of the query, for example:
| where imageDigest == '<ImageDigest>' and repository == '<ImageRepository>'
and registryResourceId endswith '/<ImageRegistryName>'
In ASC container image scan GitHub community, you can also find the Image Scan Automation Enrichment Security Gate tool.
The security gate tool is used for enriching and acting upon image scan results as part of a CI\CD pipeline to follow a scan initiated by image push.
It is built by two parts:
.\ImageScanSummaryAssessmentGate.ps1 -registryName tomerregistry -repository build -tag latest
# Run Image scan gate - which extracts image scan results and assess whether # to fail the pipeline based on severity threshold configuration. # Using the ImageScanSummaryAssessmentGate.ps1 script in same repo folder - job: ImageScanGate displayName: Image Scan security gate pool: vmImage: $(vmImageName) dependsOn: - BuildAndPush - WaitForScanResults steps: # Read more here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-cli?view=azure-devops) - task: AzureCLI@2 inputs: azureSubscription: '<Name of the Azure Resource Manager service connection>' scriptType: 'pscore' scriptLocation: 'scriptPath' # Security Gate powershell script in same folder scriptPath: '$(Build.SourcesDirectory)/ImageScanSummaryAssessmentGate.ps1' arguments: '-registryName $(containerRegistry) -repository $(imageRepository) -tag $(tag)'
You can use the security gate task above as a conditional task to push image to your production registry.
You are welcome to join ASC container image scan community on GitHub.
Contribute, share and suggest useful tools to automate or improve work with the ASC image scan service and results.
Tomer Weinberger, Azure Security Center.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.