Implementing Quarantine in Azure Container Registry

Cleber Ramos 60 Reputation points
2023-09-12T19:13:31.5+00:00

How can I enable Quarantine in Azure Container Registry (ACR), scan an image for vulnerabilities, and then remove the image from Quarantine to make it available? I want to increase the security of my ACR, but I can't find any documentation that explains how to implement Quarantine.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
467 questions
{count} votes

Accepted answer
  1. vipullag-MSFT 26,411 Reputation points
    2023-09-26T06:11:38.1266667+00:00

    Hello Cleber Ramos

    Thanks for responding back on this.

    To put an image in Quarantine, scan it for vulnerabilities, and then remove it from Quarantine, you can follow these steps:

    -Push the image to your ACR instance using the docker push command. For example:

    docker push <acr-name>.azurecr.io/<image-name>:<tag>

    Replace <acr-name> with the name of your ACR instance, <image-name> with a name for your image, and <tag> with a tag for your image.

    -Enable Quarantine for your ACR instance using the Azure CLI command:

    az acr config content-trust update --name <acr-name> --status Enabled

    -Put the image in Quarantine using the Azure CLI command:

    az acr quarantine create --name <acr-name> --image <image-name>:<tag>

    Replace <acr-name> with the name of your ACR instance, <image-name> with the name of your image, and <tag> with the tag of your image.

    -Scan the image for vulnerabilities using the Azure CLI command:

    az acr repository show-manifests --name <acr-name> --repository <image-name> --detail --query "[].{digest:digest, tags:tags}" --output table

    Replace <acr-name> with the name of your ACR instance and <image-name> with the name of your image.

    This command shows the details of the image, including its digest and tags.

    -Remove the image from Quarantine using the Azure CLI command:

    az acr quarantine delete --name <acr-name> --image <image-name>:<tag>

    Replace <acr-name> with the name of your ACR instance, <image-name> with the name of your image, and <tag> with the tag of your image.

    This command removes the image from Quarantine and makes it available for use.

    Note that Quarantine is a feature of Azure Container Registry that allows you to prevent images with known vulnerabilities from being used. By default, Quarantine is not enabled for new ACR instances. You need to enable it using the Azure CLI command az acr config content-trust update.

    Hope this helps.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. AirGordon 7,135 Reputation points
    2023-09-12T20:46:21.8266667+00:00

    The ACR Quarantine feature is in preview, and development seems to have stagnated. Check the issue on GitHub: https://github.com/Azure/acr/issues/499

    I suggest you review the image scanning option available through the Defender for Containers capability: https://learn.microsoft.com/en-gb/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.