Azure Container Registry Image Scanning

Azure Container Registry (ACR) is a manged, private container registry provided by Azure for storing Docker and Kubernetes images. This registry-based on the open-source Docker Registry 2.0

Image scanning is important for any Docker registry. This helps developers and administrates to visible the vulnerabilities affecting the images and they can take action and remediate those.

To use ACR image scanning the subscription has to enable the Azure Security Center’s standard tier and add the container registry bundle. This feature brings deeper visibility into the vulnerabilities effecting the container image. The pricing for image scanning based on the number of images.

When an image is pushed to the registry it is scanned by ACR and provide with the report of vulnerabilities. Each scan takes approximately 10 min and the findings are shown as a recommendation in Azure Security Center.

Enable the ACR Image Scanning

Enable Azure Security Center Standard Tier

Next enable the container registries

ACR scanning uses Azure-native vulnerability scanning for all pushed Linux images. This was done by the industry-leading vulnerability scanning vendor, Qualys.

Azure Security Center and Azure Container Registry (ACR) high-level overview
Source:- Microsoft

NOTE:- If you enable the Image scanning after you pushed the images to the repository then you have to push an image to start the scanning. Until that it won’t start the scan.

Following is the recommendations from Azure Security Center

You can click the recommendation to see more details about it.

Under security check findings it shows all the findings found in images.

For additional details follow below links