适用于容器注册表的 Azure Defender 简介Introduction to Azure Defender for container registries

Azure 容器注册表 (ACR) 是一种托管的专用 Docker 注册表服务,它在中心注册表中存储和管理用于 Azure 部署的容器映像。Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry. 它基于开源 Docker 注册表 2.0。It's based on the open-source Docker Registry 2.0.

若要保护订阅中所有基于 Azure 资源管理器的注册表项,请在订阅级别启用 适用于容器注册表的 Azure DefenderTo protect all the Azure Resource Manager based registries in your subscription, enable Azure Defender for container registries at the subscription level. 然后,安全中心将扫描推送到注册表、导入注册表或在过去 30 天内提取的任何映像。Security Center will then scan images that are pushed to the registry, imported into the registry, or any images pulled within the last 30 days. 此功能按映像收费。This feature is charged per image.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布 (GA)Generally available (GA)
定价:Pricing: 适用于容器注册表的 Azure Defender 按定价页中的定价计费Azure Defender for container registries is billed as shown on the pricing page
支持的注册表和映像:Supported registries and images: 可通过 shell 从公共 internet 访问的 ACR 注册表中的 Linux 映像Linux images in ACR registries accessible from the public internet with shell access
不支持的注册表和映像:Unsupported registries and images: Windows 映像Windows images
“专用”注册表'Private' registries
通过防火墙、服务终结点或专用终结点(如 Azure 专用链接)限制了访问权限的注册表Registries with access limited with a firewall, service endpoint, or private endpoints such as Azure Private Link
超级简单的映像,例如 Docker 暂存映像或仅包含应用程序及其运行时依赖项而无包管理器、shell 或 OS 的“无分发版”映像Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
所需角色和权限:Required roles and permissions: 安全读取者和 Azure 容器注册表角色和权限Security reader and Azure Container Registry roles and permissions
云:Clouds: 中国云 - 目前仅支持“推送扫描”功能。 参阅何时扫描映像?了解详细信息Learn more in When are images scanned?

适用于容器注册表的 Azure Defender 有哪些优点?What are the benefits of Azure Defender for container registries?

安全中心会标识订阅中基于 Azure 资源管理器的 ACR 注册表,并无缝为注册表映像提供 Azure 原生漏洞评估和管理。Security Center identifies Azure Resource Manager based ACR registries in your subscription and seamlessly provides Azure-native vulnerability assessment and management for your registry's images.

适用于容器注册表的 Azure Defender 包含一个漏洞扫描程序,可扫描基于 Azure 资源管理器的 Azure Container Registry 注册表中的映像,使你能够更深入地了解映像漏洞。Azure Defender for container registries includes a vulnerability scanner to scan the images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities. 该集成的扫描程序由业界领先的漏洞扫描供应商 Qualys 提供支持。The integrated scanner is powered by Qualys, the industry-leading vulnerability scanning vendor.

当 Qualys 或安全中心发现问题时,你会在安全中心仪表板中收到通知。When issues are found - by Qualys or Security Center - you'll get notified in the Security Center dashboard. 安全中心会针对每个漏洞提供可行的建议、严重性分类,以及有关如何修正问题的指南。For every vulnerability, Security Center provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue. 若要详细了解安全中心针对容器提供的建议,请参阅建议的参考列表For details of Security Center's recommendations for containers, see the reference list of recommendations.

安全中心会对扫描程序的扫描结果进行筛选和分类。Security Center filters and classifies findings from the scanner. 当映像正常运行时,安全中心会将其标为正常。When an image is healthy, Security Center marks it as such. 安全中心仅为存在待解决问题的映像生成安全建议。Security Center generates security recommendations only for images that have issues to be resolved. 安全中心针对每个报告的漏洞提供相关详细信息和严重性类别。Security Center provides details of each reported vulnerability and a severity classification. 此外,它还提供有关如何修正每个映像上发现的特定漏洞的指导内容。Additionally, it gives guidance for how to remediate the specific vulnerabilities found on each image.

安全中心仅在出现问题时发出通知,这样会降低发送不必要的信息警报的可能性。By only notifying when there are problems, Security Center reduces the potential for unwanted informational alerts.

提示

若要详细了解安全中心的容器安全功能,请参阅:To learn more about Security Center's container security features, see:

何时扫描映像?When are images scanned?

现在,图像扫描有一个触发器:There is one trigger for an image scan now:

  • 在推送时 - 每当向注册表推送映像时,安全中心会自动扫描该映像。On push - Whenever an image is pushed to your registry, Security Center automatically scans that image. 若要触发映像扫描,请将该映像推送到存储库。To trigger the scan of an image, push it to your repository.

扫描通常在 2 分钟内完成,最多可能需要 15 分钟。The scan completes typically within 2 minutes, but it might take up to 15 minutes. 扫描结果以“安全中心建议”的形式提供,如下所示:Findings are made available as Security Center recommendations such as this one:

有关在 Azure 容器注册表 (ACR) 托管映像中发现的漏洞的 Azure 安全中心建议示例Sample Azure Security Center recommendation about vulnerabilities discovered in an Azure Container Registry (ACR) hosted image

安全中心如何使用 Azure 容器注册表How does Security Center work with Azure Container Registry

下面是有关使用安全中心保护注册表的组件和优点的概括性关系图。Below is a high-level diagram of the components and benefits of protecting your registries with Security Center.

Azure 安全中心和 Azure 容器注册表 (ACR) 综合概述

Azure 容器注册表映像扫描常见问题解答FAQ for Azure Container Registry image scanning

安全中心如何扫描图像?How does Security Center scan an image?

安全中心会从注册表中拉取映像,并使用 Qualys 扫描程序在一个隔离的沙盒中运行它。Security Center pulls the image from the registry and runs it in an isolated sandbox with the Qualys scanner. 扫描程序会提取已知漏洞的列表。The scanner extracts a list of known vulnerabilities.

安全中心会对扫描程序的扫描结果进行筛选和分类。Security Center filters and classifies findings from the scanner. 当映像正常运行时,安全中心会将其标为正常。When an image is healthy, Security Center marks it as such. 安全中心仅为存在待解决问题的映像生成安全建议。Security Center generates security recommendations only for images that have issues to be resolved. 安全中心仅在出现问题时发出通知,这样会降低发送不必要的信息警报的可能性。By only notifying you when there are problems, Security Center reduces the potential for unwanted informational alerts.

是否可以通过 REST API 获取扫描结果?Can I get the scan results via REST API?

是的。Yes. 结果位于子评估 Rest API 下。The results are under Sub-Assessments Rest API. 此外,还可以对所有资源使用 Azure Resource Graph (ARG),一个类似于 Kusto 的 API:查询可以提取特定扫描。Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

会扫描哪些类型的注册表?What registry types are scanned? 会对哪些类型计费?What types are billed?

有关适用于容器注册表的 Azure Defender 支持的容器注册表类型的列表,请参阅可用性For a list of the types of container registries supported by Azure Defender for container registries, see Availability.

如果将不支持的注册表连接到 Azure 订阅,Azure Defender 不会对其进行扫描,也不会为此向你收取费用。If you connect unsupported registries to your Azure subscription, Azure Defender won't scan them and won't bill you for them.

有个映像不在我的注册表中,它存在漏洞。为什么安全中心要就这些漏洞向我发送警报?Why is Security Center alerting me to vulnerabilities about an image that isn’t in my registry?

安全中心会对在注册表中拉取或推送的每个映像提供漏洞评估。Security Center provides vulnerability assessments for every image pushed or pulled in a registry. 某些映像可能会重复使用来自已扫描的某个映像的标记。Some images may reuse tags from an image that was already scanned. 例如,每次你向摘要添加一张映像时,都可能重新分配名为“最新”的标记。For example, you may reassign the tag “Latest” every time you add an image to a digest. 在这种情况下,“旧”映像仍然在注册表中,可能仍会被其摘要拉取。In such cases, the ‘old’ image does still exist in the registry and may still be pulled by its digest. 如果发现该映像存在安全问题,而它被拉取了,那么就将暴露安全漏洞。If the image has security findings and is pulled, it'll expose security vulnerabilities.

后续步骤Next steps