Skip to main content

Azure Container Registry (ACR)

The Azure Container Registry allows you to store container images within Azure. To learn about the Azure registry, read Get Started Guide in the Azure documentation.

note

Providers are the components of cnspec that allow it to evaluate specific platforms. To learn how to manage cnspec providers most efficiently for containers, read Manage cnspec Providers.

Prerequisite

cnspec uses the configuration from Azure CLI. Install the az command and log into Azure:

az login

Display all available registries:

$ az acr list --output table

NAME RESOURCE GROUP LOCATION SKU LOGIN SERVER
--------- ---------------- ---------- -------- --------------------
<acrName> <resourceGroup> eastus Standard <acrLoginServer>

List available container images:

$ az acr repository list --name <acrName> --output table

Result
-----------
centos
hello-world
ubuntu

Log into Docker to ensure the Azure CLI creates the correct docker configuration. Mondoo uses the Docker configuration to connect to Azure as well.

az acr login --name <acrName>

Scan

Once you log in, cnspec can scan the registry:

# scan the complete registry
$ cnspec scan container registry <acrLoginServer>

→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml
Start the vulnerability scan:
→ resolve asset connections
→ verify platform access to 7e5330839326
→ gather platform details
→ detected centos 6.10
→ gather platform packages for vulnerability scan
→ found 129 packages
✔ completed analysis for 7e5330839326
→ verify platform access to 92c7f9c92844
→ gather platform details
→ detected scratch
→ gather platform packages for vulnerability scan
→ found 0 packages
✔ completed analysis for 92c7f9c92844
→ verify platform access to 61844ceb1dd5
→ gather platform details
→ detected ubuntu 19.04
→ gather platform packages for vulnerability scan
→ found 89 packages
✔ completed analysis for 61844ceb1dd5
Advisory Reports Overview
■ SCORE NAME SCORE
9.8 7e5330839326 ══════════
0.0 92c7f9c92844 ══════════
0.0 61844ceb1dd5 ══════════

You can also scan individual repositories:

$ cnspec scan container registry <acrLoginServer>/centos

→ loaded configuration from /Users/suki/.config/mondoo/mondoo.yml
Start the vulnerability scan:
→ resolve asset connections
→ verify platform access to 7e5330839326
→ gather platform details
→ detected centos 6.10
→ gather platform packages for vulnerability scan
→ found 129 packages
✔ completed analysis for 7e5330839326
Advisory Report ( asset 7e5330839326):
■ SCORE PACKAGE INSTALLED VULNERABLE (<) AVAILABLE ADVISORY
9.8 python 2.6.6-66.el6_8 2.6.6-68.el6_10 2.6.6-66.el6_8 https://mondoo.app/vuln/CESA-2019%3A1467
...
→ ■ found 10 advisories: ■ 1 critical, ■ 5 high, ■ 4 medium, ■ 0 low, ■ 0 informational, ■ 0 unknown

To scan a specific container image, use:

cnspec scan docker mondooacr.azurecr.io/centos:6.10