0

I know how to get repositories, we can use az acr repository list --name myregistry.

But, how to get repositories with tags that are having security/vulnerability issues after security scans using azure cli?

Python coder
  • 111
  • 4

1 Answers1

1

You can't get the results directly from the CLI unfortunately. All the scan data is stored in Log Analytics (via Azure Security Centre/Defender) so you would need to query it through that using the Kusto language. This query will get the information:

securityresources
| where type == "microsoft.security/assessments"
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
  securityresources
  | where type == "microsoft.security/assessments/subassessments"
  | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
) on assessmentKey
| where properties.additionalData.assessedResourceType == "ContainerRegistryVulnerability"
| extend status = properties.status.code
| extend severity = properties.status.severity
Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • Thanks for your answer! I can try this solution on Monday. I have gone through your blog which has more details from [here](https://samcogan.com/scanning-containers-during-builds-with-azure-security-centre/). I have some doubts, asked in [your github solution page](https://gist.github.com/sam-cogan/110599d600517488f9ffbcf30eefc868) – Python coder Sep 11 '22 at 09:05
  • Asking same doubts here: *As blog solution is 3 years old, do you have any new suggestions which would make the process of detecting and deleting unsecured images easy (through bash script)? I would also like to know, sometimes I see that the old build images in the azure container registry start throwing security vulnerability issues, what is the best way of tracking, updating (by resolving security patches), and deleting old images? (Most importantly when those old build images are in the production environment)* – Python coder Sep 11 '22 at 09:06
  • How to get the assessmentKey name? The idea behind fetching unhealthy images is, to delete all the unhealthy images after updating the security patches. Can you suggest a automated way to manage security patches? Do you have any comments on [this](https://stackoverflow.com/questions/73544528/how-to-update-security-patches-in-azure-container-registry-automatically) question? – Python coder Sep 12 '22 at 05:23
  • You don't need to get the assesment key name, that code is getting all assesments, just summarising by name. You can just use this query to get all assesment, filter by failed and then use PowerShell to loop through it and delete, that is pretty much what I am doing in the gist you mention. Unfortuantely, things have not really changed in ACR over the last few years, there is still no way to autoamte deleation and quarantine is still in preview. In all honesty, you might want to look at a different tool, like Trivy. – Sam Cogan Sep 12 '22 at 10:36
  • Thanks for your inputs! I will check trivy tool. Assuming that maintaining a clean azure container registry by automatic deletion after updating security patches is common usecase, I am surprised why there is no any standard solutions from azure other than the work arounds. Your comment is really helpful! – Python coder Sep 12 '22 at 11:27