Azure 容器注册表与安全中心的集成Azure Container Registry integration with Security Center

Azure 容器注册表 (ACR) 是一种托管的专用 Docker 注册表服务,它在中心注册表中存储和管理用于 Azure 部署的容器映像。Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. 它基于开源 Docker 注册表 2.0。It's based on the open-source Docker Registry 2.0.

如果你使用的是 Azure 安全中心标准层,则可以添加容器注册表捆绑包。If you're on Azure Security Center's standard tier, you can add the Container Registries bundle. 此可选功能使你可以更深入地了解基于 ARM 的注册表中的映像的漏洞。This optional feature brings deeper visibility into the vulnerabilities of the images in your ARM-based registries. 在订阅级别启用或禁用涵盖订阅中所有注册表的捆绑包。Enable or disable the bundle at the subscription level to cover all registries in a subscription. 此功能按映像收费,如定价页所示。This feature is charged per image, as shown on the pricing page. 启用容器注册表捆绑包可确保安全中心准备好扫描推送到注册表的映像。Enabling the Container Registries bundle, ensures that Security Center is ready to scan images that get pushed to the registry.

每当将映像推送到注册表时,安全中心都会自动扫描该映像。Whenever an image is pushed to your registry, Security Center automatically scans that image. 若要触发映像扫描,请将该映像推送到存储库。To trigger the scan of an image, push it to your repository.

扫描完成后(通常在大约 10 分钟后),可在安全中心建议中找到如下结果:When the scan completes (typically after approximately 10 minutes), findings are available in Security Center recommendations like this:

有关在 Azure 容器注册表 (ACR) 托管映像中发现的漏洞的 Azure 安全中心建议示例Sample Azure Security Center recommendation about vulnerabilities discovered in an Azure Container Registry (ACR) hosted image

集成的好处Benefits of integration

安全中心在订阅中识别基于 ARM 的 ACR 注册表并无缝提供以下内容:Security Center identifies ARM-based ACR registries in your subscription and seamlessly provides:

  • Azure 原生漏洞扫描,适用于所有推送的 Linux 映像。Azure-native vulnerability scanning for all pushed Linux images. 安全中心使用行业领先的漏洞扫描供应商 Qualys 提供的扫描程序来扫描映像。Security Center scans the image using a scanner from the industry-leading vulnerability scanning vendor, Qualys. 默认情况下,此原生解决方案已无缝集成。This native solution is seamlessly integrated by default.

  • 安全建议,适用于具有已知漏洞的 Linux 映像。Security recommendations for Linux images with known vulnerabilities. 安全中心提供每个报告的漏洞的详细信息和严重性分类。Security Center provides details of each reported vulnerability and a severity classification. 此外,它还指导如何修正在推送到注册表的每个映像上发现的特定漏洞。Additionally, it gives guidance for how to remediate the specific vulnerabilities found on each image pushed to registry.

Azure 安全中心和 Azure 容器注册表 (ACR) 综合概述

后续步骤Next steps

若要详细了解安全中心的容器安全功能,请参阅:To learn more about Security Center's container security features, see: