scanning container images for vulnerabilities in acr with asc
One of the new feature announced during Ignite 2019 with Azure Security Center (ASC) is the ability in Preview to scan container images in Azure Container Registry (ACR).
Yes you could for sure use any container images scanning tool of your choice like Aqua Security or Twistlock, but now you could leverage ASC too.
I just gave it a try, loved it!
Now for any container images pushed in ACR I will trigger a scan to get the potential vulnerabilities detected by Qualys. For example, I gave it a try with the azure/phippyandfriends GitHub repository, and here is the resulting PR of the scans I got: https://github.com/Azure/phippyandfriends/pull/36
Typically, here are the changes of the base images I was able to do/fix:
As a result:
- 6 Major/High CVEs were fixed (see details in this PR)
- Container images size have been reduced (more agility + less surface of attack)
nodebrady: 86.9MB –> 77.6MB
parrot: 360MB –> 116MB
captainkube: 45.4MB –> 43.1MB
phippy: 406MB –> 379MB
Here is an example from within the Azure portal of what I fixed today for the PHP base image:
Really interesting! I have learned a lot through the research I have made to update those base images.
NB: I have now in my long TODO list, the implementation of this following tutorial to help me keeping such base image up-to-date automatically: Automate container image builds when a base image is updated in an Azure container registry.