With the release of image scanning using Microsoft Defender for container registries, we received enormous interest in findings among wide audiences including traditional Microsoft Defender for Cloud admins along with repository owners and DevOps personnel.
One of the biggest challenges that was raised by these audiences was how to use the Defender for Container scanning capability in their integration and deployment processes to ensure only scanned and healthy images reach the production environments.
By embedding Microsoft Defender for container registries assessments into your CI/CD pipeline, you can address this need and have a more secure automation and deployment processes in enterprise environments.
This blog will take you through a few simple steps to take your CI/CD pipeline to the next security level.
When you enable Microsoft Defender for Cloud's optional Microsoft Defender for container registries advanced security plan, the images in your container registries are scanned for vulnerabilities.
There are multiple triggers for an image scan, such as On push, On import and Recently pulled.
Microsoft defender for container Registries pulls and scans the image in an isolated sandbox. It is then extracts, filters and classifies the findings, and presents them as actionable security recommendations.
Each finding Defender for container registries published for an image is represented as a Container Registry Vulnerability Sub Assessment.
Extract scan summary using API:
Scan summaries are available in Microsoft Defender for Cloud dashboards. You can also access them programmatically (through our API or PowerShell) using
With the scan summary ARG query published in Microsoft Defender for Cloud container image scan community GitHub, you can fetch results for all images by simply running it via ARG REST API, PowerShell module or Explorer.
| where type == 'microsoft.security/assessments/subassessments'
| where id matches regex '(.+?)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
| parse id with registryResourceId '/providers/Microsoft.Security/assessments/' *
| parse registryResourceId with * "/providers/Microsoft.ContainerRegistry/registries/" registryName
| extend imageDigest = tostring(properties.additionalData.imageDigest)
| extend repository = tostring(properties.additionalData.repositoryName)
| extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
| summarize scanFindingSeverityCount = count() by scanFindingSeverity, scanStatus, registryResourceId, registryName, repository, imageDigest
| summarize severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryName, repository, imageDigest, scanStatus
You can also filter results to get summary for a specific image or registry by adding
it to the bottom of the query, for example:
| where imageDigest == '<ImageDigest>' and repository == '<ImageRepository>'
and registryResourceId endswith '/<ImageRegistryName>'
In ASC container image scan GitHub community, you can also find the Image Scan Automation Enrichment Security Gate tool.
The security gate tool is used for enriching and acting upon image scan results as part of a CI\CD pipeline to follow a scan initiated by image push.
It is built by two parts:
.\ImageScanSummaryAssessmentGate.ps1 -registryName tomerregistry -repository build -tag latest
# Run Image scan gate - which extracts image scan results and assess whether # to fail the pipeline based on severity threshold configuration. # Using the ImageScanSummaryAssessmentGate.ps1 script in same repo folder - job: ImageScanGate displayName: Image Scan security gate pool: vmImage: $(vmImageName) dependsOn: - BuildAndPush - WaitForScanResults steps: # Read more here: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-cli?view=azure-devops) - task: AzureCLI@2 inputs: azureSubscription: '<Name of the Azure Resource Manager service connection>' scriptType: 'pscore' scriptLocation: 'scriptPath' # Security Gate powershell script in same folder scriptPath: '$(Build.SourcesDirectory)/ImageScanSummaryAssessmentGate.ps1' arguments: '-registryName $(containerRegistry) -repository $(imageRepository) -tag $(tag)'
You can use the security gate task above as a conditional task to push image to your production registry.
You are welcome to join Microsoft Defender for Cloud container image scan community on GitHub.
Contribute, share and suggest useful tools to automate or improve work with the Microsoft Defender for Cloud image scan service and results.
Tomer Weinberger, Microsoft Defender for Cloud.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.