Catégorie : ACR

ACR | Lock container images

Hi!

In this article I will show you how you can lock a container image or a repository (so that it can’t be deleted or updated) hosted in Azure Container Registry (ACR).

By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.

However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can’t accidentally delete or overwrite.

Show the current repository attributes
az acr repository show \
    --name myregistry --repository myrepo \
    --output jsonc


Show the current image attributes
az acr repository show \
    --name myregistry --image myimage:tag \
    --output jsonc

Lock an image by tag
az acr repository update \
    --name myregistry --image myimage:tag \
    --write-enabled false

Lock an image by manifest digest
az acr repository update \
    --name myregistry --image myimage@sha256:123456abcdefg \
    --write-enabled false

Lock a repository
az acr repository update \
    --name myregistry --repository myrepo \
    --write-enabled false

Protect an image from deletion
az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled false --write-enabled true

Prevent read (pull) operations on an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --read-enabled false

az acr repository update \
    --name myregistry --repository myrepo \
    --read-enabled false

Unlock an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --delete-enabled true --write-enabled true

az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled true --write-enabled true

Maxime.

ACR | Retention policy for untagged manifests

Hi!

Azure Container Registry gives you the option to set a retention policy for stored image manifests that don’t have any associated tags (untagged manifests). When a retention policy is enabled, untagged manifests in the registry are automatically deleted after a number of days you set.

The following example sets a retention policy of 30 days for untagged manifests in the registry zigmax:

az acr config retention update --registry zigmax --status enabled --days 30 --type UntaggedManifests

You can also define the retention policy for un tagged manifests in the Azure Portal:

Maxime.

Defender for Containers can now scan for vulnerabilities in Windows images

Hi!

Defender for Container’s image scan now supports Windows images that are hosted in Azure Container Registry. This feature is free while in preview, and will incur a cost when it becomes generally available.

Findings details pane.

I previously written an article in French to explain you how you can leverage Microsoft Defender to scan your Linux container images.

Maxime.