Azure Container Registry Azure Security Center Containers docker WSL2

Hidden gem in Azure: Scan your docker images in ACR, view results in Sub Assessment API and Azure Security Center

Why I consider this feature a true hidden gem? Well like many of my favorite Azure Services (Key Vault etc) these services are usable regardless of where you run the actual service. You might be running your docker container in private or public cloud. Regardless of the location images can be scanned by Azure Security Center, as long as you allow them to be pushed to the Azure Container Registry (Later ACR). Obviously I am biased to run those docker images in Azure, as I can choose per use case whether to use App Service, Linux VM’s or Kubernetes Cluster 🙂

Results in ASC and from Sub Assessment API

Why use the Sub Assessment API?

I would consider Sub Assessment API an excellent compliment to an existing CI/CD platform. You can integrate results from the API as conditions to evaluate if there is need fix security vulnerabilities found in images before pushing anything further in the process.


Information Security and Compliance | Qualys, Inc.
The scanner in ACR is powered by Qualys


Before proceeding you might want to check MS’s excellent existing documentation on container security features

Image scanning

Azure Security Center and Azure Container Registry (ACR) high-level overview

Docker host scanning

Continuous monitoring of Kubernetes clusters

Scan results for docker images in ACR

Azure Security Center and Azure Container Registry (ACR) high-level overview
Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings per image. Resolving the vulnerabilities can greatly improve your containers’ security posture and protect them from attacks.
(No related policy)

Cost details

Security Center Standard


The per image cost is very reasonable (excluding other subscription enabled ASC costs you might have enabled)

What is done in this blog?

  1. Push set of images to ACR
    • Via DevOps Pipeline to build and push images
    • Via your local repository
  2. View scan results in Security Center
  3. View scan results via the assessments API

What are the recommended pre-requisites?

Note this is just my setup, but its pretty damn good for this use case.

If you are seasoned Linux Pro you might have something else, but for me WSL2 bridges many gaps, and is super easy to use 🙂

  • WSL2 via the insiders preview (soon to be on the mainstream release)
  • Docker Desktop using WSL2 back-end
  • VSCode with Docker Extensions

I have the setup running as separate VM using Nested Virtualization. This keeps my main desktop fairly clean, and I don’t have Docker Desktop running in the background when I am doing something entirely non-related

The setup

Provision Azure Container Registry

If you are not using the Devops Pipeline option, then assign existing, or new Service Principal to the IAM settings as contributor (Service Principal is created as app registration in Azure AD App Registrations)

Pull any image you would like to scan from Docker Hub, or use your own image

Login to the image registry with AppID of the registry service principal

Tag your image locally in order to push it to the repository

Push the image the ACR

Alternatively you can build your own image in Azure Devops based on the application code stored in Repo, and use build pipeline to achieve similar result

Wait about 10 minutes to see the scan results in Security Center

Detailed results can be reviewed by clicking individual items

Using the Sub Assessment API


In my example I give access to all assessments under Microsoft.Security provider for the registry account. Typically you would give more narrow scope for the account:

Permissions under subscription IAM

Query the URI with Access Token using Client Credentials Flow{subscription}/providers/Microsoft.Security/subAssessments?api-version=2019-01-01-preview

Short script to filter High Severity results from the API

The script will show detailed data from the API, which you can for example integrate with your devops tool 🙂

Short example of the NodeJS script

var rq = require('request')
var util = require('util')
var options = {
    client_id: "yourAppId",
var uri = ""
function GetSubAssessment ({client_id,client_secret,resource},uri) {
    return new Promise ((resolve,reject) => {
        var options = {
            form: {
  "",options, (error,response) => {
               // console.log(response.body)
                if (error) {return reject(response.body)}
                var securityAPIoptions = {
                        "Authorization": "Bearer " + response.body.access_token
                rq.get(securityAPIoptions,(error,response2) => {
                    var obj = response2.body.value
                    //filter high results
                    var results = obj.filter((status) => {
                        return =="High"
                  // return resolve("printed results")
GetSubAssessment(options,uri).then((data) => {

The script will output results Selected in the filtering function :

Recommended further reading

Br, Joosua

0 comments on “Hidden gem in Azure: Scan your docker images in ACR, view results in Sub Assessment API and Azure Security Center


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

Olet kommentoimassa -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: