How to Best Secure Your Azure Container Registry
Securing your container registry is critical. Read along as we take a look at the native Microsoft® Azure® container protection in Azure Security Center versus Trend Micro Cloud One™ – Container Security to see what's best for your security needs.
Ah the registry! Here lies all the images that serve up all the applications to your potential customers, existing customers, and employees. Pretty important job, no? So, how do we know what's going on in there from a security perspective? Well, there are a lot of solutions out there! In this article, we are going to take a look at native Microsoft Azure container protection in Azure Security Center, and Trend Micro Cloud One Container Security.
First up, let's go ahead and push a purposely vulnerable image into our Microsoft Azure Container Registry to be scanned by both solutions.
To do this with the container protection in Azure Security Center, you are going to want to make sure you have Azure Security Center configured with the standard subscription package. You will also need to make sure that the Container Registry Security service is enabled. The associated costs are displayed below for the Container Security Scanner portion among others that will be applied to your Microsoft Azure subscription.
Ok, I have Azure Security Center configured to protect my container registry. Let's give it a whirl and go ahead and push the container image into the registry. This is shown below with my docker command output in Microsoft Powershell.
Upon a successful push, the Azure Container Image scanner will start to scan your image automatically. You should be able to view your results of your scanned container image in a few minutes after the push.
Here is the summary screen after the image has been pushed. Looks like 43 total vulnerabilities were found in the image.
Here are the findings details regarding those vulnerabilities with the associated image id.
This breaks out the vulnerabilities by severity, and if you click on a security check it will give the details and the associated security patch to download.
Very cool! Let's also take a look at another container image scanner offering.
This solution is Trend Micro Cloud One Container Image Security. You can deploy this right inside your Azure Kubernetes Service (AKS). Once the helm chart is deployed inside your AKS service, you can logon to the associated console. You will need to add your Azure Container Registry (ACR). Results are shown below in comparison with the container image scan of the test vulnerable container.
If you drill down to the finding, you will see in each layer the vulnerabilities listed by layer and the details of each. Here is the associated detail view. This shows the vulnerability and the associated CVE article and patch. Very cool indeed!
One other thing that is pretty cool about the Trend Micro Cloud One Container Security is you can also integrate with your CI/CD pipeline as well. Huzzah! This is an added bonus to check for vulnerabilities before making it into your registry. This is shown below with my example pipeline.
Well, something to think about, right? Who knows what might be lurking inside your Container Registry. In summary, I would advise giving one of these tools a try to check out the overall security of your Container Registry. You might be glad you did! Both are easy to setup, deploy, and maintain and provide you instant feedback! See you next time!