適用於容器登錄的 Azure Defender 簡介Introduction to Azure Defender for container registries

Azure Container Registry (ACR) 是受控的私人 Docker 登錄服務,可在中央登錄中儲存及管理您 Azure 部署的容器映像。Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. 此服務以開放原始碼的 Docker Registry 2.0 為基礎。It's based on the open-source Docker Registry 2.0.

若要保護您訂用帳戶中所有以 Azure Resource Manager 為基礎的登錄,請在訂用帳戶層級上啟用 適用於容器登錄的 Azure DefenderTo protect all the Azure Resource Manager based registries in your subscription, enable Azure Defender for container registries at the subscription level. 資訊安全中心接著將會掃描推送至登錄的映像、匯入登錄中的映像,或過去 30 天內提取的任何映像。Security Center will then scan images that are pushed to the registry, imported into the registry, or any images pulled within the last 30 days. 這項功能會按映像收費。This feature is charged per image.


層面Aspect 詳細資料Details
版本狀態:Release state: 正式上市 (GA)Generally available (GA)
定價:Pricing: 適用於容器登錄的 Azure Defender 的計費方式如 定價頁面 所示Azure Defender for container registries is billed as shown on the pricing page
支援的登錄和映像:Supported registries and images: ACR 登錄中的 Linux 映像可透過殼層存取從公用網際網路來存取Linux images in ACR registries accessible from the public internet with shell access
不支援的登錄和映像:Unsupported registries and images: Windows 映像Windows images
「私人」登錄'Private' registries
具有存取權的登錄會受到防火牆、服務端點或私人端點 (例如 Azure Private Link) 的限制Registries with access limited with a firewall, service endpoint, or private endpoints such as Azure Private Link
極簡映像,例如 Docker scratch 映像,或只包含應用程式及其執行階段相依性,但不含套件管理員、shell 或 OS 的「Distroless」映像Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
必要的角色和權限:Required roles and permissions: 安全性讀取者Azure Container Registry 角色和權限Security reader and Azure Container Registry roles and permissions
雲端:Clouds: 商業雲端
US Gov 和 China Gov - 目前僅支援「推送時進行掃描」功能。 深入了解何時會掃描映像?Learn more in When are images scanned?

適用於容器登錄的 Azure Defender 有哪些優點?What are the benefits of Azure Defender for container registries?

資訊安全中心可識別您的訂用帳戶中以 Azure Resource Manager 為基礎的 ACR 登錄,並順暢地為您的登錄映像提供 Azure 原生弱點評量和管理。Security Center identifies Azure Resource Manager based ACR registries in your subscription and seamlessly provides Azure-native vulnerability assessment and management for your registry's images.

適用於容器登錄的 Azure Defender 包含弱點掃描器,可在您以 Azure Resource Manager 為基礎的 Azure Container Registry 登錄中掃描映像,並且讓您更深入地檢視映像的弱點。Azure Defender for container registries includes a vulnerability scanner to scan the images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities. 整合式掃描器由領先業界的弱點掃描廠商 Qualys 提供技術支援。The integrated scanner is powered by Qualys, the industry-leading vulnerability scanning vendor.

當 Qualys 或資訊安全中心發現問題時,您將會在資訊安全中心儀表板中收到通知。When issues are found – by Qualys or Security Center – you'll get notified in the Security Center dashboard. 針對每個弱點,資訊安全中心都會提供可採取動作的建議及嚴重性分類,以及如何補救問題的指引。For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. 如需資訊安全中心的容器建議詳細資料,請參閱建議的參考清單For details of Security Center's recommendations for containers, see the reference list of recommendations.

資訊安全中心會篩選並分類掃描器發現的結果。Security Center filters and classifies findings from the scanner. 當映像狀況良好時,資訊安全中心會據以標示。When an image is healthy, Security Center marks it as such. 資訊安全中心只會針對有問題待解決的映像產生安全性建議。Security Center generates security recommendations only for images that have issues to be resolved. 資訊安全中心會提供每個回報的弱點和嚴重性分類的詳細資料。Security Center provides details of each reported vulnerability and a severity classification. 此外也會提供如何對在每個映像上發現的特定弱點進行補救的指引。Additionally, it gives guidance for how to remediate the specific vulnerabilities found on each image.

資訊安全中心只會在發生問題時發出通知,藉以減少非必要的資訊警示。By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.


若要深入了解資訊安全中心的容器安全性功能,請參閱:To learn more about Security Center's container security features, see:

何時會掃描映像?When are images scanned?

映像掃描有三個觸發程序:There are three triggers for an image scan:

  • 推送時 - 每當映像推送至您的登錄時,資訊安全中心就會自動掃描該映像。On push - Whenever an image is pushed to your registry, Security Center automatically scans that image. 若要觸發映像的掃描,請將其推送至您的存放庫。To trigger the scan of an image, push it to your repository.

  • 最近的提取 -由於每日都會探索到新的弱點,因此, 適用于 Container Registry 的 Azure Defender 也會每週掃描一次任何已在過去30天內提取的映射。Recently pulled - Since new vulnerabilities are discovered every day, Azure Defender for container registries also scans, on a weekly basis, any image that has been pulled within the last 30 days. 這些重新掃描不需要額外收費;如前文所述,每個影像只會支付一次費用。There's no additional charge for these rescans; as mentioned above, you're billed once per image.

  • 匯入時 - Azure Container Registry 具有匯入工具,可將映像從 Docker Hub、Microsoft Container Registry 或另一個 Azure Container Registry 導入您的登錄中。On import - Azure Container Registry has import tools to bring images to your registry from Docker Hub, Microsoft Container Registry, or another Azure container registry. 適用於容器登錄的 Azure Defender 會掃描您匯入的任何支援映像。Azure Defender for container registries scans any supported images you import. 深入了解如何將容器映像匯入至容器登錄Learn more in Import container images to a container registry.

掃描通常會在 2 分鐘內完成,但最多可能需要 15 分鐘的時間。The scan completes typically within 2 minutes, but it might take up to 15 minutes. 結果會以資訊安全中心建議的形式提供,如下所示:Findings are made available as Security Center recommendations such as this one:

Azure 資訊安全中心針對在 Azure Container Registry (ACR) 裝載映像中探索到的弱點提供的建議範例Sample Azure Security Center recommendation about vulnerabilities discovered in an Azure Container Registry (ACR) hosted image

資訊安全中心如何與 Azure Container Registry 搭配運作How does Security Center work with Azure Container Registry

以下是使用資訊安全中心保護登錄的所需元件和優點的高階圖表。Below is a high-level diagram of the components and benefits of protecting your registries with Security Center.

Azure 資訊安全中心和 Azure Container Registry (ACR) 高階概觀

Azure Container Registry 映像掃描的常見問題集FAQ for Azure Container Registry image scanning

資訊安全中心掃描映像的方式為何?How does Security Center scan an image?

「安全性中心」會從登錄中提取映射,並在 Qualys 掃描器的隔離沙箱中執行映射。Security Center pulls the image from the registry and runs it in an isolated sandbox with the Qualys scanner. 掃描器會解壓縮已知弱點的清單。The scanner extracts a list of known vulnerabilities.

資訊安全中心會篩選並分類掃描器發現的結果。Security Center filters and classifies findings from the scanner. 當映像狀況良好時,資訊安全中心會據以標示。When an image is healthy, Security Center marks it as such. 資訊安全中心只會針對有問題待解決的映像產生安全性建議。Security Center generates security recommendations only for images that have issues to be resolved. 藉由只在發生問題時通知您,資訊安全中心會降低不必要資訊警示的可能性。By only notifying you when there are problems, Security Center reduces the potential for unwanted informational alerts.

是否可透過 REST API 取得掃描結果?Can I get the scan results via REST API?

是。Yes. 結果會存放在子評量 Rest API 下。The results are under Sub-Assessments Rest API. 此外,您可以使用 Azure Resource Graph (ARG),這是適用於所有資源的類 Kusto API:查詢可以擷取特定的掃描。Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

掃描的登錄類型為何?What registry types are scanned? 哪些類型需計費?What types are billed?

如需適用於容器登錄的 Azure Defender 所支援的容器登錄類型清單,請參閱可用性For a list of the types of container registries supported by Azure Defender for container registries, see Availability.

如果您將不支援的登錄連接到您的 Azure 訂用帳戶,Azure Defender 將不會掃描它們,也不會向您收取費用。If you connect unsupported registries to your Azure subscription, Azure Defender won't scan them and won't bill you for them.

我可以自訂來自弱點掃描器的結果嗎?Can I customize the findings from the vulnerability scanner?

是。Yes. 如果您的組織需要忽略某個結果,而不是將其修復,您可以選擇性地停用該結果。If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. 停用的結果不會影響您的安全分數或產生不想要的雜訊。Disabled findings don't impact your secure score or generate unwanted noise.

深入了解建立規則以停用來自整合式弱點評估工具的結果Learn about creating rules to disable findings from the integrated vulnerability assessment tool.

為什麼資訊安全中心會向我發出並非我登錄中映像的弱點警示?Why is Security Center alerting me to vulnerabilities about an image that isn’t in my registry?

資訊安全中心會針對在登錄中推送或提取的每個映像提供弱點評量。Security Center provides vulnerability assessments for every image pushed or pulled in a registry. 有些映像可能會重複使用已掃描映像中的標籤。Some images may reuse tags from an image that was already scanned. 例如,您可能會在每次將映像新增至摘要時,重新指派「最新」標籤。For example, you may reassign the tag “Latest” every time you add an image to a digest. 在這種情況下,「舊」映像仍然存在於登錄中,而且可能仍會由其摘要提取。In such cases, the ‘old’ image does still exist in the registry and may still be pulled by its digest. 如果映像具有安全性問題,並且已提取,則會暴露安全性弱點。If the image has security findings and is pulled, it'll expose security vulnerabilities.

後續步驟Next steps