Created
April 4, 2020 15:11
-
-
Save sam-cogan/110599d600517488f9ffbcf30eefc868 to your computer and use it in GitHub Desktop.
Container Scanning with Security Centre
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param( | |
| \# Client Name | |
| [Parameter(Mandatory = $true)] | |
| [string]$repositorySearchString, | |
| [Parameter(Mandatory = $true)] | |
| [string]$imageTag, | |
| [Parameter(Mandatory = $true)] | |
| [string]$registryName, | |
| [Parameter(Mandatory = $true)] | |
| [string]$registrysubscription, | |
| [string]$deleteFailedContainers = $true, | |
| [int]$timeoutInSeconds= 600 | |
| ) | |
| az account set --subscription $registrysubscription | |
| $healthyCount = 0 | |
| $unHealthyCount = 0 | |
| $respositories = $(az acr repository list -n $destinationRegistryName | convertfrom-Json) | where-object { $_ -like $repositorySearchString } | |
| foreach ($repository in $respositories) { | |
| write-host $repository | |
| $digest = $($(az acr repository show-tags -n $destinationRegistryName --repository $repository --detail | convertfrom-json) | where-object { $_.name -eq "$imageTag" }).digest | |
| if ($null -ne $digest ) { | |
| write-host $digest | |
| $query = @" | |
| securityresources | |
| | where type == "microsoft.security/assessments" | |
| | summarize by assessmentKey=name //the ID of the assessment | |
| | join kind=inner ( | |
| securityresources | |
| | where type == "microsoft.security/assessments/subassessments" | |
| | extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id) | |
| ) on assessmentKey | |
| | where properties.additionalData.assessedResourceType == "ContainerRegistryVulnerability" | |
| | where properties.resourceDetails.id == "/repositories/$repository/images/$digest" | |
| | extend status = properties.status.code | |
| | extend severity = properties.status.severity | |
| "@ | |
| $results = search-azgraph -query $query -Subscription $registrysubscription | |
| $timeout = 0 | |
| while ($results.count -eq 0 -and $timeout -lt $timeoutInSeconds) { | |
| write-host "Waiting for scan" | |
| start-sleep 30 | |
| $timeout = $timeout +30 | |
| $results = search-azgraph -query $query -Subscription $registrysubscription | |
| } | |
| if($results.count -eq 0){ | |
| throw "No scan results found" | |
| } | |
| $status = "Healthy" | |
| foreach ($result in $results) { | |
| if ($result.status -eq "Unhealthy") { | |
| $unHealthyCount++ | |
| $status = "Unhealthy" | |
| } | |
| } | |
| if ($status -eq "Unhealthy") { | |
| write-error "$repository`:$tagName is $status" | |
| az acr repository delete --name $destinationRegistryName --image "$repository`:$tagName" --yes | |
| } | |
| else { | |
| write-host "$repository`:$tagName is $status" -ForegroundColor Green | |
| $healthyCount++ | |
| } | |
| } | |
| else { | |
| write-warning "No image found for $repository`:$tagName" | |
| } | |
| } | |
| if ($unHealthyCount -gt 0) { | |
| throw "At least one image with vulnerabilities detected" | |
| } | |
| else { | |
| if($healthyCount -gt 0){ | |
| write-host "No vulnerabilities found" -ForegroundColor Green | |
| } | |
| else{ | |
| Write-Warning "No images found" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Sam Cogan,
I have gone through your blog on this solution. It was really good, but as this solution is 3 years old, do you have any new suggestions which would make the process of detecting and deleting unsecured images easy (through bash script)?
I would also like to know, sometimes I see that the old build images in the azure container registry start throwing security vulnerability issues, what is the best way of tracking, updating (by resolving security patches), and deleting old images? (Most importantly when those old build images are in the production environment)