使用适用于容器注册表的 Azure Defender 来扫描映像是否存在漏洞Use Azure Defender for container registries to scan your images for vulnerabilities

本页介绍如何使用内置漏洞扫描程序来扫描基于 Azure 资源管理器的 Azure 容器注册表中存储的容器映像。This page explains how to use the built-in vulnerability scanner to scan the container images stored in your Azure Resource Manager-based Azure Container Registry.

启用适用于容器注册表的 Azure Defender 时,会立即扫描推送到注册表的任何映像。When Azure Defender for container registries is enabled, any image you push to your registry will be scanned immediately. 此外,还将扫描最近 30 天内拉取的所有映像。In addition, any image pulled within the last 30 days is also scanned.

当扫描程序向安全中心报告漏洞时,安全中心会提供结果和相关信息作为建议。When the scanner reports vulnerabilities to Security Center, Security Center presents the findings and related information as recommendations. 此外,这些结果还包括相关信息,如修正步骤、相关 CVE、CVSS 评分等。In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. 你可以查看为一个或多个订阅或者为特定注册表识别出的漏洞。You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.

可用性Availability

方面Aspect 详细信息Details
发布状态:Release state: 正式发布 (GA)Generally available (GA)
定价:Pricing: 适用于容器注册表的 Azure Defender 按定价页中的定价计费Azure Defender for container registries is billed as shown on the pricing page
支持的注册表和映像:Supported registries and images: 可通过 shell 从公共 internet 访问的 ACR 注册表中的 Linux 映像Linux images in ACR registries accessible from the public internet with shell access
不支持的注册表和映像:Unsupported registries and images: Windows 映像Windows images
“专用”注册表'Private' registries
通过防火墙、服务终结点或专用终结点(如 Azure 专用链接)限制了访问权限的注册表Registries with access limited with a firewall, service endpoint, or private endpoints such as Azure Private Link
超级简单的映像,例如 Docker 暂存映像或仅包含应用程序及其运行时依赖项而无包管理器、shell 或 OS 的“无分发版”映像Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS
所需角色和权限:Required roles and permissions: 安全读取者和 Azure 容器注册表角色和权限Security reader and Azure Container Registry roles and permissions
云:Clouds: 中国云 - 目前仅支持“推送扫描”功能。 参阅何时扫描映像?了解详细信息Learn more in When are images scanned?

标识 Azure 容器注册表映像中的漏洞Identify vulnerabilities in images in Azure container registries

若要对存储在基于 Azure 资源管理器的 Azure 容器注册表中的映像启用漏洞扫描,请执行以下操作:To enable vulnerability scans of images stored in your Azure Resource Manager-based Azure Container Registry:

  1. 为你的订阅启用适用于容器注册表的 Azure Defender。Enable Azure Defender for container registries for your subscription. 安全中心现已准备就绪,可以扫描注册表中的映像。Security Center is now ready to scan images in your registries.

    备注

    此功能按映像收费。This feature is charged per image.

  2. 映像扫描在每次推送或导入时以及映像在最近 30 天内被拉取时触发。Image scans are triggered on every push or import, and if the image has been pulled within the last 30 days.

    扫描完成后(通常在大约 2 分钟后,但可能长达 15 分钟),安全中心建议会提供结果。When the scan completes (typically after approximately 2 minutes, but can be up to 15 minutes), findings are available as Security Center recommendations.

  3. 查看并修正结果,如下所述View and remediate findings as explained below.

标识其他容器注册表映像中的漏洞Identify vulnerabilities in images in other container registries

  1. 使用 ACR 工具将映像从 Docker Hub 或 Microsoft Container Registry 导入到注册表。Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. 导入完成后,Azure Defender 将扫描导入的映像。When the import completes, the imported images are scanned by Azure Defender.

    请参阅将容器映像导入容器注册表,了解详细信息Learn more in Import container images to a container registry

    扫描完成后(通常在大约 2 分钟后,但可能长达 15 分钟),安全中心建议会提供结果。When the scan completes (typically after approximately 2 minutes, but can be up to 15 minutes), findings are available as Security Center recommendations.

  2. 查看并修正结果,如下所述View and remediate findings as explained below.

查看和修正结果View and remediate findings

  1. 若要查看发现结果,请访问“建议”页面。To view the findings, go to the Recommendations page. 如果发现问题,你将看到“应修正 Azure 容器注册表映像中的漏洞”的建议If issues were found, you'll see the recommendation Vulnerabilities in Azure Container Registry images should be remediated

    解决问题的建议Recommendation to remediate issues

  2. 选择建议。Select the recommendation.

    “建议详细信息”页随即打开,并且其中包含其他信息。The recommendation details page opens with additional information. 这些信息包括具有易受攻击映像(“受影响的资源”)的注册表列表以及补救步骤。This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

  3. 选择特定的注册表以查看其中具有易受攻击存储库的存储库。Select a specific registry to see the repositories within it that have vulnerable repositories.

    选择一个注册表

    “注册表详细信息”页随即打开,并列出受影响的存储库。The registry details page opens with the list of affected repositories.

  4. 选择特定的存储库以查看其中具有易受攻击映像的存储库。Select a specific repository to see the repositories within it that have vulnerable images.

    选择存储库

    “存储库详细信息”页随即打开。The repository details page opens. 它列出了易受攻击的映像以及对发现结果严重性的评估。It lists the vulnerable images together with an assessment of the severity of the findings.

  5. 选择特定映像以查看漏洞。Select a specific image to see the vulnerabilities.

    选择映像

    所选映像的发现结果列表随即打开。The list of findings for the selected image opens.

    发现结果列表

  6. 若要详细了解发现结果,请选择“发现结果”。To learn more about a finding, select the finding.

    发现结果详细信息窗格随即打开。The findings details pane opens.

    发现结果详细信息窗格Findings details pane

    此窗格包括问题的详细说明,以及有助于缓解威胁的外部资源的链接。This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

  7. 按照此窗格的“修正”部分中的步骤进行操作。Follow the steps in the remediation section of this pane.

  8. 执行修复安全问题所需的步骤后,请替换注册表中的映像:When you have taken the steps required to remediate the security issue, replace the image in your registry:

    1. 推送已更新的映像。Push the updated image. 这会触发扫描。This will trigger a scan.

    2. 请查看建议页面,了解“应修复 Azure 容器注册表映像中的漏洞”的建议。Check the recommendations page for the recommendation "Vulnerabilities in Azure Container Registry images should be remediated".

      如果建议仍然显示,并且你处理的映像仍显示在易受攻击映像列表中,请再次检查修正步骤。If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

    3. 确定更新的映像已推送、已扫描,且不再显示在建议中时,请从注册表中删除“旧”版本易受攻击的映像。When you are sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.

后续步骤Next steps