Identify vulnerable container images in your CI/CD workflows

This page explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.

To set up the scanner, you'll need to enable Microsoft Defender for container registries and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.

The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy.

You’ll get traceability information such as the GitHub workflow and the GitHub run URL, to help identify the workflows that are resulting in vulnerable images.

Tip

The vulnerabilities identified in a scan of your registry might differ from the findings of your CI/CD scans. One reason for these differences is that the registry scanning is continuous, whereas the CI/CD scanning happens immediately before the workflow pushes the image into the registry.

Availability

Aspect	Details
Release state:	This CI/CD integration is in preview. We recommend that you experiment with it on non-production workflows only. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing:	Microsoft Defender for container registries is billed as shown on the pricing page
Clouds:	Commercial clouds National (Azure Government, Azure China 21Vianet)

Prerequisites

To scan your images as they're pushed by CI/CD workflows into your registries, you must have Microsoft Defender for container registries enabled on the subscription.

Set up vulnerability scanning of your CI/CD workflows

To enable vulnerability scans of images in your GitHub workflows:

Step 1. Enable the CI/CD integration in Defender for Cloud

Step 2. Add the necessary lines to your GitHub workflow

Step 1. Enable the CI/CD integration in Defender for Cloud

1. From Defender for Cloud's menu, open Environment settings.

2. Select the relevant subscription.

3. From the sidebar of the settings page for that subscription, select Integrations.

4. In the pane that appears, select an Application Insights account to push the CI/CD scan results from your workflow.

5. Copy the authentication token and connection string into your GitHub workflow.

   

   Important

   The authentication token and connection string are used to correlate the ingested security telemetry with resources in the subscription. If you use invalid values for these parameters, it'll lead to dropped telemetry.

Step 2. Add the necessary lines to your GitHub workflow and perform a scan

1. From your GitHub workflow, enable CI/CD scanning as follows:

   Tip

   We recommend creating two secrets in your repository to reference in your YAML file as shown below. The secrets can be named according to your own naming conventions. In this example, the secrets are referenced as AZ_APPINSIGHTS_CONNECTION_STRING and AZ_SUBSCRIPTION_TOKEN.

   Important

   The push to the registry must happen prior to the results being published.

   - name: Build and Tag Image
     run: |
       echo "github.sha=$GITHUB_SHA"
       docker build -t githubdemo1.azurecr.io/k8sdemo:${{ github.sha }} .
   
   - uses: Azure/container-scan@v0 
     name: Scan image for vulnerabilities
     id: container-scan
     continue-on-error: true
     with:
       image-name: githubdemo1.azurecr.io/k8sdemo:${{ github.sha }} 
   
   - name: Push Docker image 
     run: |
       docker push githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}
   
   - name: Post logs to appinsights
     uses: Azure/publish-security-assessments@v0
     with: 
       scan-results-path: ${{ steps.container-scan.outputs.scan-report-path }}
       connection-string: ${{ secrets.AZ_APPINSIGHTS_CONNECTION_STRING }}
       subscription-token: ${{ secrets.AZ_SUBSCRIPTION_TOKEN }} 
   

2. Run the workflow that will push the image to the selected container registry. Once the image is pushed into the registry, a scan of the registry runs and you can view the CI/CD scan results along with the registry scan results within Microsoft Defender for Cloud. Running the above YAML file will install an instance of Aqua Security's Trivy in your build system. Trivy is licensed under the Apache 2.0 License and has dependencies on data feeds, many of which contain their own terms of use.

3. View CI/CD scan results.

View CI/CD scan results

1. To view the findings, open the Recommendations page. If issues were found, you'll see the recommendation Container registry images should have vulnerability findings resolved (powered by Qualys).

   

2. Select the recommendation.

   The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

3. Open the affected resources list and select an unhealthy registry to see the repositories within it that have vulnerable images.

   

   The registry details page opens with the list of affected repositories.

4. Select a specific repository to see the repositories within it that have vulnerable images.

   

   The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

5. Select a specific image to see the vulnerabilities.

   

   The list of findings for the selected image opens.

   

6. To learn more about which GitHub workflow is pushing these vulnerable images, select the information bubble:

   

Next steps

Learn more about the advanced protection plans of Microsoft Defender for Cloud.