With the 2.0 release of Sysdig Secure, we’re excited to support new integrations with services Azure provides around containers and Kubernetes. Today we’ll be diving deeper into how to integrate Sysdig Secure with ACR (Azure Container Registry) to scan images for for security, compliance, and reliability. Sysdig has offered unified monitoring and security for container and Kubernetes deployments on Azure for years, and now with native CI/CD and registry integrations we’ve moved earlier into the developer lifecycle.
About Azure Container Registry
The Azure Container Registry allows you to store container images for all types of orchestration platforms including Kubernetes, Docker or DC/OS and Azure services such as App Service, Batch, Service Fabric, and others.
Azure Container Registry Security and Sysdig Secure
Scanning images in Azure Container Registry is the same as scanning from any other Docker v2 compatible registry. Once configured, the entire registry or individual images and tags can be analyzed and then evaluated against a Sysdig Secure Scanning policy.
The first step is to pass the ACR credentials into Sysdig Secure to give access to the registry. Once configured the Sysdig Secure scanning engine can pull any image stored within the registry into the engine for analysis.
When an image is pulled into the scanning engine Sysdig Secure will provide visibility into:
- Official OS packages
- Unofficial packages
- Configuration files
- Secrets, credentials like tokens, certificates and other sensitive data
- Known vulnerabilities & available updates
These artifacts are then stored and evaluated against custom scanning policies to spot vulnerabilities, misconfiguration, or compliance issues within your images.
Scanning Container Images in Azure Container Registry
Adding an image to the scanning engine from ACR is as simple as copying the registry URL/image/tag into the Sysdig Secure UI and clicking scan image. This process can also be easily scripted to import all images and to watch repositories for updates.
Once an image has been analyzed a report will be generated that has the outcome of the policy evaluation, all vulnerabilities discovered in OS packages, configuration files, and many other artifacts which are stored for audit and compliance reasons.
This report has details showing knoxsds.azurecr.io/cassandra:latest has passed the policy evaluation, including image metadata, vulnerabilities, and even JAR archives information about what’s included in the image.
Hopefully you can see how easy it is to get up and running with both Azure Container Registry and Sysdig Secure. If you’d like to see the integration in action sign up for a trial (both SaaS and On-prem options) or follow our blog for more post about securing containers on Azure.