Hidden gem in Azure: Scan your docker images in ACR, view results in Sub Assessment API and Azure Security Center

Why I consider this feature a true hidden gem? Well like many of my favorite Azure Services (Key Vault etc) these services are usable regardless of where you run the actual service. You might be running your docker container in private or public cloud. Regardless of the location images can be scanned by Azure Security Center, as long as you allow them to be pushed to the Azure Container Registry (Later ACR). Obviously I am biased to run those docker images in Azure, as I can choose per use case whether to use App Service, Linux VM’s or Kubernetes Cluster 🙂

Results in ASC and from Sub Assessment API

Why use the Sub Assessment API?

I would consider Sub Assessment API an excellent compliment to an existing CI/CD platform. You can integrate results from the API as conditions to evaluate if there is need fix security vulnerabilities found in images before pushing anything further in the process.

More https://docs.microsoft.com/en-us/azure/security-center/container-security#can-i-get-the-scan-results-via-rest-api

Information Security and Compliance | Qualys, Inc.
The scanner in ACR is powered by Qualys

Background

Before proceeding you might want to check MS’s excellent existing documentation on the feature!

Overview

Azure Security Center and Azure Container Registry (ACR) high-level overview
https://docs.microsoft.com/en-us/azure/security-center/azure-container-registry-integration
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.
(No related policy)
https://docs.microsoft.com/bs-latn-ba/azure/security-center/recommendations-reference#recs-containers

Cost details

Security Center Standard https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing

ACR https://azure.microsoft.com/en-us/services/container-registry

The per image cost is very reasonable (excluding other subscription enabled ASC costs you might have enabled)

What is done in this blog?

  1. Push set of images to ACR
    • Via DevOps Pipeline to build and push images
    • Via your local repository
  2. View scan results in Security Center
  3. View scan results via the assessments API

What are the recommended pre-requisites?

Note this is just my setup, but its pretty damn good for this use case.

If you are seasoned Linux Pro you might have something else, but for me WSL2 bridges many gaps, and is super easy to use 🙂

  • WSL2 via the insiders preview (soon to be on the mainstream release)
  • Docker Desktop using WSL2 back-end
  • VSCode with Docker Extensions

I have the setup running as separate VM using Nested Virtualization. This keeps my main desktop fairly clean, and I don’t have Docker Desktop running in the background when I am doing something entirely non-related

The setup

Provision Azure Container Registry

If you are not using the Devops Pipeline option, then assign existing, or new Service Principal to the IAM settings as contributor (Service Principal is created as app registration in Azure AD App Registrations)

Pull any image you would like to scan from Docker Hub, or use your own image

Login to the image registry with AppID of the registry service principal

Tag your image locally in order to push it to the repository

Push the image the ACR

Alternatively you can build your own image in Azure Devops based on the application code stored in Repo, and use build pipeline to achieve similar result

Wait about 10 minutes to see the scan results in Security Center

Detailed results can be reviewed by clicking individual items

Using the Sub Assessment API

KB: https://docs.microsoft.com/en-us/rest/api/securitycenter/subassessments/listall

In my example I give access to all assessments under Microsoft.Security provider for the registry account. Typically you would give more narrow scope for the account:

Permissions under subscription IAM

Query the URI with Access Token using Client Credentials Flow

https://management.azure.com/subscriptions/{subscription}/providers/Microsoft.Security/subAssessments?api-version=2019-01-01-preview

Short script to filter High Severity results from the API

The script will show detailed data from the API, which you can for example integrate with your devops tool 🙂

Short example of the NodeJS script

var rq = require('request')
var util = require('util')
var options = {
    client_id: "yourAppId",
    client_secret:process.env[KeyVaultSecret],
    resource:"https://management.azure.com",
}
var uri = "https://management.azure.com/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Security/subAssessments?api-version=2019-01-01-preview"
function GetSubAssessment ({client_id,client_secret,resource},uri) {
    return new Promise ((resolve,reject) => {
        var options = {
            json:true,
            headers:[{
            "content-type":"application/x-www-form-urlencoded" 
            }
            ],
            form: {
                grant_type:"client_credentials",
                client_id,
                client_secret,
                resource,   
                }
            }
            rq.post("https://login.microsoftonline.com/dewired.onmicrosoft.com/oauth2/token",options, (error,response) => {
               // console.log(response.body)
                if (error) {return reject(response.body)}
                //resolve(response.body)
                var securityAPIoptions = {
                    json:true,
                   uri,
                    headers:{
                        "Authorization": "Bearer " + response.body.access_token
                    }
                }
                
                rq.get(securityAPIoptions,(error,response2) => {
                   
                    var obj = response2.body.value
                    console.log(obj.length)
                    //filter high results
                    var results = obj.filter((status) => {
                        return status.properties.status.severity =="High"
                    })
                    
                    resolve(results)
                  // return resolve("printed results")
                })
             }
            )
    })
}
GetSubAssessment(options,uri).then((data) => {
    console.log(util.inspect(data,false,10,true))    
        }
    )

The script will output results Selected in the filtering function :

Recommended further reading

https://docs.docker.com/docker-for-windows/wsl-tech-preview/

Br, Joosua

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s