One of the new feature announced during Ignite 2019 with Azure Security Center (ASC) is the ability in Preview to scan container images in Azure Container Registry (ACR).
Yes you could for sure use any container images scanning tool of your choice like Aqua Security or Twistlock, but now you could leverage ASC too.

I just gave it a try, loved it!

To continue my Security Posture on Azure, I have been leveraging ASC (Standard SKU) and followed this guide.

Now for any container images pushed in ACR I will trigger a scan to get the potential vulnerabilities detected by Qualys. For example, I gave it a try with the azure/phippyandfriends GitHub repository, and here is the resulting PR of the scans I got: https://github.com/Azure/phippyandfriends/pull/36

Typically, here are the changes of the base images I was able to do/fix:

  • microsoft/aspnetcore:2.0 –> mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine
  • node:8.9-alpine –> node:10-alpine
  • php:7.1-apache –> php:7.3.12-apache-stretch
  • golang:1.10.3 –> golang:1.13.4

As a result:

  • 6 Major/High CVEs were fixed (see details in this PR)
  • Container images size have been reduced (more agility + less surface of attack)
    • nodebrady: 86.9MB –> 77.6MB
    • parrot: 360MB –> 116MB
    • captainkube: 45.4MB –> 43.1MB
    • phippy: 406MB –> 379MB

Here is an example from within the Azure portal of what I fixed today for the PHP base image:

Screenshot of a scan result showing an important CVE fixed with the implementation of this blog article.

Really interesting! I have learned a lot through the research I have made to update those base images.

NB: I have now in my long TODO list, the implementation of this following tutorial to help me keeping such base image up-to-date automatically: Automate container image builds when a base image is updated in an Azure container registry.

For the pricing details, you could look at this and this.

Cheers!