Scan Azure Container Registry (ACR) Images with cnspec
Scan Azure Container Registry images for security vulnerabilities and misconfigurations with cnspec.
The Azure Container Registry (ACR) stores container images within Azure. To learn the basics, read the Get Started Guide in the Azure documentation.
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Prerequisites
cnspec uses your Azure CLI configuration. Install the az command and log in:
az loginList the registries available to your account:
az acr list --output tableNAME RESOURCE GROUP LOCATION SKU LOGIN SERVER
--------- ---------------- ---------- -------- --------------------
<acrName> <resourceGroup> eastus Standard <acrLoginServer>List images in a registry:
az acr repository list --name <acrName> --output tableScan ACR
Scan an entire registry:
cnspec scan container registry <acrLoginServer>cnspec resolves each image, applies the OS security policies that match its platform, and reports vulnerabilities and advisories. For example:
Start the vulnerability scan:
→ resolve asset connections
→ detected ubuntu 24.04
→ gather platform packages for vulnerability scan
→ found 121 packages
✔ completed analysis for <imageId>
Advisory Reports Overview
■ SCORE NAME SCORE
■ 6.5 <imageId-1> ══════════
■ 0.0 <imageId-2> ══════════Scan a specific repository:
cnspec scan container registry <acrLoginServer>/<repository>Scan a specific image:
cnspec scan docker <acrLoginServer>/<repository>:<tag>Learn more
- Secure Microsoft Azure with cnspec: scan Azure subscriptions
- Secure Docker Images with cnspec: scan a specific image from any registry
- Write Effective MQL: guide to authoring checks and queries