This chapter covers Azure Container Registry (ACR) security scanning, a critical component of Azure compute security. ACR scanning automatically detects vulnerabilities in container images stored in your registry, helping you comply with security best practices and regulatory requirements. On the AZ-500 exam, this topic appears in approximately 5-10% of questions, often integrated with scenarios about secure development, supply chain security, and compliance. You must understand how scanning works, how to enable it, interpret results, and remediate vulnerabilities.
Jump to a section
Think of Azure Container Registry (ACR) security scanning like an airport customs inspection for incoming cargo containers. Each container image is a shipping container arriving from a foreign port. The manifest (Dockerfile) lists what's inside, but customs (the scanning service) doesn't trust the manifest alone—it physically inspects every package. The customs officer (scanner) uses a massive database of known contraband (vulnerability database, like the National Vulnerability Database) and checks each item against it. If a package matches a known threat (e.g., a library with a CVE), the officer flags it with a severity level (low, medium, high, critical). The officer also checks for outdated items (base images with known vulnerabilities) and unsafe configurations (e.g., exposed secrets). The scanning is automated: as soon as a container arrives (pushed to ACR), it goes through the inspection line. The results are recorded in a log (scan report) that the port authority (security team) can review. If a container has critical issues, it might be quarantined (blocked from deployment) until the issues are resolved. The officer doesn't stop at first scan—if new contraband is discovered worldwide (new CVEs published), the officer re-inspects all previously cleared containers (re-scan on trigger). This ensures that even containers that passed earlier are re-evaluated against the latest threats.
What is Azure Container Registry Security Scanning?
Azure Container Registry (ACR) security scanning, also known as vulnerability assessment, is a built-in or integrated feature that analyzes container images for known security vulnerabilities. The primary goal is to identify and report vulnerabilities in the operating system packages and application dependencies within the image layers. Scanning is essential for maintaining a secure software supply chain and is a key requirement for compliance frameworks like PCI DSS, HIPAA, and FedRAMP.
How Scanning Works Internally
ACR scanning operates by comparing the contents of each image layer against a continuously updated vulnerability database. The process is:
1. Image Push Trigger: When an image is pushed to an ACR repository, the registry can automatically trigger a scan. This is configured at the registry level via the acr scan policy or by integrating with Microsoft Defender for Cloud.
2. Layer Extraction: The scanner pulls the image manifest and extracts each layer's filesystem. It identifies installed packages (e.g., apt, yum, pip, npm) and their versions.
3. Vulnerability Matching: The extracted package list is cross-referenced with the vulnerability database. For each package, the scanner checks if the installed version is affected by any known Common Vulnerabilities and Exposures (CVEs). The database is updated multiple times daily from sources like the National Vulnerability Database (NVD), Ubuntu Security Notices, Red Hat Security Advisories, and others.
4. Severity Classification: Each matched vulnerability is assigned a severity level (Low, Medium, High, or Critical) based on the CVSS score. The scanner also provides a fix version if available.
5. Report Generation: The scan results are stored in the ACR repository metadata. You can view them via the Azure portal, Azure CLI, or API. The report includes the list of vulnerabilities, their severity, CVE IDs, and remediation advice.
6. Re-scan Triggers: Scans can be re-triggered manually or automatically when the vulnerability database is updated. Microsoft Defender for Cloud can trigger re-scans when new CVEs are published.
Key Components, Values, and Defaults
Scanning Frequency: By default, ACR does not automatically scan images unless you enable scanning via Microsoft Defender for Cloud (formerly Azure Security Center). Without Defender, you must trigger scans manually via CLI or API.
Defender for Cloud Integration: When you enable Microsoft Defender for Cloud on your subscription and turn on the "Container Registry" plan, all images pushed to any ACR in that subscription are automatically scanned. The cost is approximately $0.012 per image per month (as of 2025).
Scan Results Storage: Results are stored as a tag in the repository, e.g., acr-scan-result or as annotations. They are accessible for 90 days after the scan.
Supported Image Formats: ACR scanning supports Linux and Windows images. For Linux, it supports multiple distributions: Ubuntu, Debian, CentOS, Red Hat, Alpine, etc. For Windows, it supports Windows Server Core and Nano Server.
Vulnerability Database: The database is updated every 12-24 hours. Critical vulnerabilities may trigger immediate updates.
Scan Timeout: Each scan has a timeout of 30 minutes. If the scan does not complete within that time, it fails and you must retry.
Number of Scans: There is no limit on the number of scans per registry, but there is a rate limit of 10 concurrent scans per registry.
Configuration and Verification Commands
To enable scanning via Defender for Cloud:
# Enable Defender for Cloud on subscription
az security pricing create --name 'ContainerRegistry' --pricing-tier 'Standard'
# Verify status
az security pricing show --name 'ContainerRegistry'To trigger a manual scan (without Defender):
# Install ACR scan extension
az extension add --name acr-scan
# Run scan on an image
az acr scan --registry myregistry --repository myrepo --image myimage:tagTo view scan results:
az acr scan list --registry myregistry --repository myrepo
az acr scan show --registry myregistry --repository myrepo --image myimage:tagTo list vulnerabilities from the result:
az acr scan list-vulnerabilities --registry myregistry --repository myrepo --image myimage:tagInteraction with Related Technologies
Azure DevOps: You can integrate scanning into CI/CD pipelines. For example, use the ACR task to build and scan images before pushing. You can also use third-party scanners like Trivy or Clair in your pipeline.
Azure Kubernetes Service (AKS): AKS can be configured to only allow images that have passed scanning. This is done via Azure Policy for Kubernetes, which can enforce that images must have a scan result with no critical vulnerabilities.
Microsoft Defender for Cloud: Provides a unified view of vulnerabilities across all registries. It also offers recommendations to remediate vulnerabilities and can trigger automatic re-scans.
Azure Policy: You can create custom policies to block deployment of images with high or critical vulnerabilities.
Best Practices
Enable Defender for Cloud on all subscriptions that use ACR.
Use automated scans in CI/CD pipelines to catch vulnerabilities before images are pushed.
Regularly review and remediate vulnerabilities, prioritizing critical and high severity.
Use base images from trusted sources and keep them updated.
Consider using multi-stage builds to minimize image size and attack surface.
Enable Microsoft Defender for Container Registry
Navigate to Microsoft Defender for Cloud in the Azure portal. Under 'Environment settings', select your subscription. Locate the 'Container Registry' plan and set it to 'On'. This enables automatic scanning of all images pushed to any ACR in the subscription. The cost is per image per month. Without this, you must manually trigger scans. Verify using Azure CLI: `az security pricing show --name 'ContainerRegistry'` should show 'pricing-tier' as 'Standard'.
Push an Image to the Registry
Use Docker CLI to tag and push an image. For example: `docker tag myimage:latest myregistry.azurecr.io/myimage:v1` then `docker push myregistry.azurecr.io/myimage:v1`. The push triggers the scan if Defender is enabled. If not, you can manually trigger a scan later. The registry must have admin credentials enabled or you must use `az acr login` to authenticate. The image layers are uploaded and stored in Azure Blob Storage.
Automatic Scan Trigger
Upon successful push, ACR sends a notification to Defender for Cloud. The scanning engine pulls the image manifest and begins analyzing each layer. It extracts package lists from the filesystem. For Linux images, it uses package managers like apt, yum, or apk. For Windows, it uses the package database. The scan runs asynchronously and typically completes within a few minutes for standard images. If the image is large (>10GB), it may take longer.
Vulnerability Comparison
The extracted package list is compared against the latest vulnerability database. The database contains millions of CVE records. For each package, the scanner checks the installed version against the affected versions. If a match is found, it records the CVE ID, severity (based on CVSS v3 score), and any available fix version. The scanner also checks for outdated base images and exposed secrets (e.g., passwords in environment variables). The results are stored as metadata in the registry.
Review and Remediate Results
In the Azure portal, navigate to your ACR, select 'Repositories', then choose an image. Click on 'Tags' and select the tag you pushed. The 'Vulnerabilities' tab displays the scan results. You can filter by severity. For each vulnerability, you can see the CVE ID, description, and remediation (e.g., update package to version X). Remediation typically involves rebuilding the image with updated packages. Re-push the updated image to trigger a new scan. If the vulnerability is a false positive, you can suppress it using the 'Suppress' feature in Defender for Cloud.
Enterprise Scenario 1: Financial Services Compliance
A large bank uses ACR to store container images for its trading applications. Regulatory compliance requires that all images be free of critical and high vulnerabilities before deployment. The bank enables Defender for Cloud for Container Registry across all subscriptions. They integrate scanning into their CI/CD pipeline using Azure DevOps. When a developer pushes a new image, the pipeline triggers a scan. If the scan reports any critical vulnerabilities, the pipeline fails and the image is not deployed. The security team receives alerts via Azure Monitor and uses Defender for Cloud's dashboard to track remediation progress. The bank also uses Azure Policy to enforce that only scanned images (with no critical vulnerabilities) can be deployed to AKS. This ensures compliance with PCI DSS requirement 6.2. The main challenge is handling false positives—packages flagged as vulnerable but not exploitable in the context of the application. The team uses the 'Suppress' feature to ignore known false positives, but they must document the justification for auditors.
Enterprise Scenario 2: E-commerce Platform with High Velocity
An e-commerce company pushes hundreds of images per day to ACR. They use multi-stage builds to keep images small. With Defender for Cloud enabled, every push triggers a scan. The security team noticed that scans sometimes fail due to timeouts for very large images (e.g., ones exceeding 30 minutes). They optimized their Dockerfiles to reduce layer count and image size. They also use the acr scan CLI to trigger scans on demand for pre-production images. For production, they rely on automatic scans. They use Defender for Cloud's 'Recommendations' to prioritize fixes. The biggest issue they faced was a zero-day vulnerability in a popular base image that was discovered after the image had been scanned and deployed. Defender for Cloud automatically re-scanned all images in the registry within 24 hours of the new CVE being added to the database, and flagged the affected images. The team was able to quickly rebuild and redeploy. This proactive re-scanning is critical for maintaining security in a fast-paced environment.
Scenario 3: Multi-Region Deployment with Shared Registry
A global SaaS provider uses a single ACR replicated across multiple regions (geo-replication) to serve customers worldwide. They need to ensure that all images are scanned regardless of which region they are pushed to. With Defender for Cloud enabled, scans are performed in the region where the image is pushed. However, scan results are stored in the same region. The security team uses a central Defender for Cloud dashboard to view vulnerabilities across all regions. They encountered a problem: when a vulnerability is suppressed in one region, it is not automatically suppressed in others. They had to use Azure Policy to apply consistent suppression rules across regions. They also use Azure Resource Graph to query scan results across all registries. This allows them to generate compliance reports for auditors.
AZ-500 Exam Focus on Container Registry Security Scanning
The AZ-500 exam objective '2.2 Implement container security' includes 'Configure vulnerability scanning for container images'. Expect 1-3 questions that test your understanding of ACR scanning. The exam focuses on:
Key Exam Objectives: - Configure Microsoft Defender for Cloud for Container Registry (plan name: 'ContainerRegistry') - Understand the difference between manual scanning and automatic scanning with Defender - Interpret scan results: severity levels, CVE IDs, fix versions - Remediation strategies: update base images, rebuild images, suppress false positives - Integration with Azure Policy and AKS for deployment controls
Common Wrong Answers and Traps: 1. 'Scanning is enabled by default' – This is false. Without Defender for Cloud, no automatic scanning occurs. The exam may present a scenario where a security team expects scans but none happen because Defender is not enabled. 2. 'You must install an agent on the container host to scan images' – This is wrong. ACR scanning is server-side; no agent is needed on the host. The scanner runs in Azure. 3. 'Scanning only supports Linux images' – While Linux is more common, Windows images are also supported. The exam may test this. 4. 'You can only scan images at push time' – Scans can be triggered manually at any time, and re-scans occur automatically when the vulnerability database is updated. 5. 'All vulnerabilities must be fixed before deployment' – This is not a blanket requirement; it depends on your organization's policy. The exam might ask about Azure Policy to enforce such rules.
Specific Numbers and Terms to Memorize: - Pricing: ~$0.012 per image per month (not critical but helpful) - Scan timeout: 30 minutes - Concurrent scan limit: 10 per registry - Scan result retention: 90 days - Severity levels: Low, Medium, High, Critical (based on CVSS v3) - Database update frequency: every 12-24 hours
Edge Cases:
- Images with no package manager (e.g., scratch images) will have no vulnerabilities detected.
- If an image is deleted and re-pushed, it is scanned again.
- Re-scanning can be triggered manually via az acr scan run or automatically via Defender.
How to Eliminate Wrong Answers:
If a question asks about enabling automatic scanning, the correct answer will involve enabling Defender for Cloud's Container Registry plan. If it asks about viewing results, use az acr scan list-vulnerabilities. If it asks about preventing deployment of vulnerable images, look for Azure Policy or AKS admission controller rules. Always read the scenario carefully to see if Defender is already enabled.
ACR scanning compares image packages against a vulnerability database updated every 12-24 hours.
Enable automatic scanning by turning on Microsoft Defender for Cloud's Container Registry plan (Standard tier).
Manual scanning can be triggered using 'az acr scan' CLI commands after installing the 'acr-scan' extension.
Scan results include CVE ID, severity (Low/Medium/High/Critical), and fix version.
Scans have a 30-minute timeout; maximum 10 concurrent scans per registry.
Scan results are retained for 90 days.
Supported image types: Linux (Ubuntu, Debian, CentOS, RHEL, Alpine) and Windows (Server Core, Nano Server).
Re-scanning occurs automatically when vulnerability database is updated (if Defender is enabled).
Azure Policy can enforce deployment only of scanned images with no critical vulnerabilities.
Remediation typically involves updating base images and rebuilding containers.
These come up on the exam all the time. Here's how to tell them apart.
Manual Scanning (Without Defender)
Must be triggered manually via CLI or API after each push.
No additional cost beyond ACR storage.
No automatic re-scanning when vulnerability database updates.
Requires installation of 'acr-scan' CLI extension.
Results are stored and viewable via CLI or portal.
Automatic Scanning (With Defender for Cloud)
Automatically triggered on every image push.
Costs approximately $0.012 per image per month.
Automatically re-scans images when new critical CVEs are published.
No CLI extension needed; integrated into Defender for Cloud.
Results appear in Defender for Cloud dashboard and ACR portal.
Mistake
Container registry scanning is enabled by default in Azure Container Registry.
Correct
ACR does not scan images by default. You must enable Microsoft Defender for Cloud's Container Registry plan or manually trigger scans via CLI/API.
Mistake
Scanning requires an agent to be installed on the container host or within the container.
Correct
Scanning is performed server-side by Azure infrastructure. No agent is needed on the host or inside the container.
Mistake
Scanning only works for Linux-based container images.
Correct
ACR scanning supports both Linux and Windows container images. For Windows, it supports Windows Server Core and Nano Server.
Mistake
Once an image is scanned, it is never re-scanned.
Correct
Images can be re-scanned manually or automatically when the vulnerability database is updated (e.g., new CVEs). Defender for Cloud can trigger re-scans on database updates.
Mistake
All vulnerabilities found during scanning must be fixed before the image can be deployed.
Correct
There is no built-in enforcement. Organizations can use Azure Policy or AKS admission controls to block deployment of images with certain severity levels, but it is not automatic.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Enable Microsoft Defender for Cloud's 'Container Registry' plan. In the Azure portal, go to Microsoft Defender for Cloud > Environment settings > Select your subscription > Find 'Container Registry' and set it to 'On'. Alternatively, use the Azure CLI: `az security pricing create --name 'ContainerRegistry' --pricing-tier 'Standard'`. Once enabled, every image pushed to any ACR in that subscription is automatically scanned.
ACR scanning is a managed Azure service integrated with Defender for Cloud. It automatically scans images on push and re-scans on database updates. Third-party scanners like Trivy or Clair can be run in CI/CD pipelines or as standalone tools. ACR scanning is easier to set up but may have higher cost. Third-party scanners offer more customization and can be run locally. The exam focuses on ACR scanning.
In the Azure portal, navigate to your ACR, select 'Repositories', choose the repository, click on the image tag, and then select the 'Vulnerabilities' tab. You can also use the Azure CLI: `az acr scan list-vulnerabilities --registry myregistry --repository myrepo --image myimage:tag`. The results show CVE IDs, severity, and remediation advice.
Yes, using Azure Policy. Create a policy that requires images to have a scan result with no critical vulnerabilities. Apply the policy at the AKS cluster scope. You can also use AKS admission controllers like OPA/Gatekeeper or Azure Policy for Kubernetes. The exam may test this integration.
The scan fails. You must retry the scan. To avoid timeouts, optimize your image size and layer count. Large images (>10GB) may exceed the 30-minute timeout. You can also trigger a manual scan with a longer timeout (not configurable, but retries may help).
Yes, ACR scanning supports Windows Server Core and Nano Server images. The scanner extracts Windows update information and checks against Microsoft Security Bulletins. Linux support is broader, but Windows images are fully supported.
The database is updated every 12-24 hours. For critical vulnerabilities, updates may be pushed sooner. When Defender for Cloud is enabled, it can trigger re-scans of all images when the database is updated.
You've just covered Container Registry Security Scanning — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?