acr icon indicating copy to clipboard operation
acr copied to clipboard

Published 20 hours ago verified publisher icon Azure

Quarantine Preview and Qualys Interaction

Open alanmeadows opened this issue 4 years ago • 13 comments

Describe the bug The combination of the Quarantine preview feature and Qualys (Azure Defender CVE Scanning) do not work as expected.

To Reproduce Steps to reproduce the behavior:

  1. Enable quarantine on an ACR (see #210)
  2. Enable Azure Defender for Container Registries to On (enables Qualys CVE scanning)
  3. Push an image to the ACR

Expected behavior When a container image is pushed to an ACR that has quarantine enabled, we expect the image will be scanned by qualys so we can programmatically determine whether to release the image for pulls. In other words, immediately after the image is pushed, even though it is quarantined we expect it to appear in the results of az security sub-assessment list however it does not.

Instead, the image is never scanned until it is released, defeating the purpose of the quarantine. It appears as though the feature was written entirely for DIY local or out-of-band image scanning, where the scanner has access to the source image and can support a pipeline that will remove the image from quarantine based on out-of-band scan results. This is great for users who want to integrate their own scanning with Azure Container Registry, however in this instance we are interested in leveraging Azure Container Registry, the Quarantine feature, and Azure Defender Qualys scanning.

To enable users who wish to quarantine images immediately on push pending the results of a Qualys scan (Azure Defender), the quarantine feature should support allowing the image to be scanned and appear on an az security sub-assessment list result query as either Healthy or Unhealthy regardless of whether the image is quarantined or not to enable programmatic quarantine removal of images based on Qualys results.

alanmeadows avatar Dec 15 '20 17:12 alanmeadows

Thanks @alanmeadows for reporting this! We will look into it and keep you updated.

Wwwsylvia avatar Dec 17 '20 08:12 Wwwsylvia

I can confirm that the behaviour in case of Importing the image from other registry - using az acr import is as expected. The image gets scanned and the results are available. Also noticed that in case of import - manifest and tag are available in ACR, but user without ACRQurantineReader/Writer permission get access denied on trying to get details from the portal. But in case of push manifest and tag are not available at all, which could be the reason Azure Security Centre does not scan the pushed images.

scorpionlion avatar Feb 03 '21 15:02 scorpionlion

Unfortunately, Quarantine is not yet complete, and not yet available for consumption. We have work to complete in the next few months as a predecessor and hope to release Quarantine at a future date.

SteveLasker avatar Feb 03 '21 20:02 SteveLasker

@SteveLasker Do you have any update on this? I understand that Quarantine is still in preview, but this feature would really improve the workflow for those using Qualys in Azure Defender.

MattiasAng avatar Apr 27 '21 14:04 MattiasAng

Hi, I would like to know what is the status of this? It is shameful for Microsoft that this feature is in preview since 2017 and still doesn't work! Feels like the only way is to totally give up on ACR.

nfsouzaj avatar Dec 08 '21 22:12 nfsouzaj

Hi @nfsouzaj, Apologies to hear your frustration. We would really like to complete quarantine and ship it as a GA-level feature. We are prioritizing the work in the spring. The reasoning for the delay was around prioritization of capabilities that were either blocking, supportability or reliability features. For instance, shipping acr connected registry for IoT scenarios, as those scenarios were blocked. Or, availability zone support for in-region reliability, or the many other security features like private link and cmk.

We have been growing the team to support the growing needs of the security supply chain efforts, so we do hope to complete the work in the first half of 2022.

Thanks for using ACR, and we really appreciate the feedback, Steve

SteveLasker avatar Dec 08 '21 22:12 SteveLasker

Hi ,

The end of 2022 H1 is nearly here - any news on this? Many thanks

Justin

justinwells avatar Jun 15 '22 11:06 justinwells

bump

fru125 avatar Jul 24 '22 19:07 fru125

And ... it's now 2023.

Jaykul avatar Jan 05 '23 20:01 Jaykul

Hello Everyone,

Thank you for the feedback on the Quarantine preview. My apologies for the frustration with this feature. Our team is working on completing this feature. I will post on this thread as soon as I have an update about the completion of this work. Please continue to give us feedback. The team has grown, and we are working diligently to update our roadmap for all our supply chain features.

JXavierMSFT avatar Jan 17 '23 17:01 JXavierMSFT

I'm very interested in the Quarantine feature. Is there any update on when it will reach GA?

I've found Sonatype Repository Firewall to be very useful which can quarantine software dependencies until they are confirmed 'safe'. The Quarantine feature in ACR appears similar and would be a powerful tool to reduce chances of unsafe images being used.

BenjaminNeale-Heritage avatar Aug 07 '23 01:08 BenjaminNeale-Heritage

@JXavierMSFT hey, do you have an update on this, please?

gleb-boushev-effem avatar Jan 05 '24 14:01 gleb-boushev-effem