Identify vulnerable container images in your CI/CD workflows

This page explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.

To set up the scanner, you'll need to enable Azure Defender for container registries and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.

The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Azure Defender's CI/CD scanning is powered by Aqua Trivy.

You’ll get traceability information such as the GitHub workflow and the GitHub run URL, to help identify the workflows that are resulting in vulnerable images.

Tip

The vulnerabilities identified in a scan of your registry might differ from the findings of your CI/CD scans. One reason for these differences is that the registry scanning is continuous, whereas the CI/CD scanning happens immediately before the workflow pushes the image into the registry.

Availability

Aspect Details
Release state: This CI/CD integration is in preview.
We recommend that you experiment with it on non-production workflows only.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Azure Defender for container registries is billed as shown on Security Center pricing
Clouds: Commercial clouds
National/Sovereign (Azure Government, Azure China 21Vianet)

Prerequisites

To scan your images as they're pushed by CI/CD workflows into your registries, you must have Azure Defender for container registries enabled on the subscription.

Set up vulnerability scanning of your CI/CD workflows

To enable vulnerability scans of images in your GitHub workflows:

Step 1. Enable the CI/CD integration in Security Center

Step 2. Add the necessary lines to your GitHub workflow

Step 1. Enable the CI/CD integration in Security Center

  1. From Security Center's sidebar, select Pricing & settings.

  2. Select the relevant subscription.

  3. From the sidebar of the settings page for that subscription, select Integrations.

  4. In the pane that appears, select an Application Insights account to push the CI/CD scan results from your workflow.

  5. Copy the authentication token and connection string into your GitHub workflow.

    Enable the CI/CD integration for vulnerability scans of container images in your GitHub workflows.

    Important

    The authentication token and connection string are used to correlate the ingested security telemetry with resources in the subscription. If you use invalid values for these parameters, it'll lead to dropped telemetry.

Step 2. Add the necessary lines to your GitHub workflow and perform a scan

  1. From your GitHub workflow, enable CI/CD scanning as follows:

    Tip

    We recommend creating two secrets in your repository to reference in your YAML file as shown below. The secrets can be named according to your own naming conventions. In this example, the secrets are referenced as AZ_APPINSIGHTS_CONNECTION_STRING and AZ_SUBSCRIPTION_TOKEN.

    - run: |
      echo "github.sha=$GITHUB_SHA"
      docker build -t githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}
    
    - uses: Azure/container-scan@v0 
      name: Scan image for vulnerabilities
      id: container-scan
      continue-on-error: true
      with:
        image-name: githubdemo1.azurecr.io/k8sdemo:${{ github.sha }} 
    
    - name: Push Docker image - githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}
      run: |
      docker push githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}
    
    - name: Post logs to appinsights
      uses: Azure/publish-security-assessments@v0
      with: 
        scan-results-path: ${{ steps.container-scan.outputs.scan-report-path }}
        connection-string: ${{ secrets.AZ_APPINSIGHTS_CONNECTION_STRING }}
        subscription-token: ${{ secrets.AZ_SUBSCRIPTION_TOKEN }} 
    
  2. Run the workflow that will push the image to the selected container registry. Once the image is pushed into the registry, a scan of the registry runs and you can view the CI/CD scan results along with the registry scan results within Azure Security Center.

  3. View CI/CD scan results.

View CI/CD scan results

  1. To view the findings, go to the Recommendations page. If issues were found, you'll see the recommendation Vulnerabilities in Azure Container Registry images should be remediated.

    Recommendation to remediate issues .

  2. Select the recommendation.

    The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

  3. Open the affected resources list and select an unhealthy registry to see the repositories within it that have vulnerable images.

    Select an unhealthy registry.

    The registry details page opens with the list of affected repositories.

  4. Select a specific repository to see the repositories within it that have vulnerable images.

    Select an unhealthy repository.

    The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

  5. Select a specific image to see the vulnerabilities.

    Select an unhealthy image.

    The list of findings for the selected image opens.

    Image scan results.

  6. To learn more about which GitHub workflow is pushing these vulnerable images, select the information bubble:

    CI/CD findings about specific GitHub branches and commits.

Next steps