Azure 开启ACR 镜像扫描并导出漏洞列表

开启ACR镜像扫描

Microsoft Defender for Cloud

登录Azure portal —> Microsoft Defender for cloud —> setpu

按照上面的图片提示打开安全镜像扫描，打开之后我们在对应的资源组下面创建的对应container register，然后我们上传镜像到这个之后就会被自动的安全扫描；

获取ACR 漏洞扫描的列表

在Azure已经扫描到的容器漏洞列表，是无法在页面直接下载的，我们一个一个的去查看不方便传递和修复，我们借助“Azure Resource Graph”来进行安全列表的扫描；

登录Azure portal —> Azure resource Graph

在查询框里面输入

securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName contains "Azure registry container images should have vulnerabilities resolved"
| project assessmentName=name, displayName=properties.displayName, description=properties.description, id

其中“where properties.displayName contains ” 后面的条件可能会变，下面我来介绍如何获取

登录Azure portal —》 Microsoft Defender for cloud —> Inventory—> 可以按照你的实际情况进行过滤

点击这个链接进入

就得到了我们上面的条件，如果你需要获取别的列表也可以按照这个方式进行

我们通过上面这个查询可以获取到一个accessmentName的值，记录下这个值，我们在下面的查询中会使用到这个内容

然后我们开始执行下面的sql，导出我们需要的安全列表

securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName contains "Azure registry container images should have vulnerabilities resolved"
| summarize by assessmentKey="c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
| join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         imageName = properties.additionalData.artifactDetails.repositoryName,
         imageTags = properties.additionalData.artifactDetails.tags,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

其中我们可以在Extend 下面来列出我们期望在下面的表格中出现的数据，我相信你可以很快的看出来如何新增或者修改下面的值