Azure Container Registry Integration

Connect your Azure Container Registry (ACR) to Safeguard.sh for container image SBOM generation and vulnerability scanning.

Overview

Azure Container Registry integration supports:

Public and private registries
Service Principal authentication
Managed Identity authentication
Azure AD authentication
Geo-replicated registries

Prerequisites

Azure subscription with ACR access
Container images in your registry
Appropriate Azure permissions (ACRPull or higher)
Safeguard.sh account with ESSCM access

Authentication Methods

Method 1: Service Principal (Recommended)

Create a service principal with ACRPull role:

# Create service principal
az ad sp create-for-rbac \
  --name "safeguard-acr-reader" \
  --role AcrPull \
  --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.ContainerRegistry/registries/{registry-name}

This outputs:

{
  "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Use these values:

Username: appId value
Password: password value

Method 2: Admin User

Enable admin user in Azure Portal:

Go to your Container Registry
Navigate to Settings → Access keys
Enable Admin user
Copy the Username and password

Note: Admin user credentials should only be used for testing. Use Service Principal for production.

Method 3: Repository-Scoped Token

Create a token with limited scope:

In Azure Portal, go to your ACR
Navigate to Repository permissions → Tokens
Click + Add
Configure:
- Token name: safeguard-reader
- Scope map: Create new with content/read permission
Generate password and save it

Configuring in Safeguard.sh

Step 1: Navigate to Integrations

Go to the Integrations page
Click Connect on the Azure Container Registry card (or use OCI Registry)

Step 2: Enter Configuration

Select the Private tab and enter:

Field	Value
Name	Configuration name (e.g., "Azure ACR Production")
Description	Optional description
Registry URL	`{registry-name}.azurecr.io`
Username	Service Principal appId or Admin username
Password	Service Principal password or Admin password

Step 3: Verify and Connect

Click Verify Credentials
Wait for verification to complete
Click Next
Browse and select repositories to scan
Configure image tags (e.g., latest, v1.0.0)
Click Connect

Registry URL Formats

Registry Type	URL Format
ACR (Public Cloud)	`{registry-name}.azurecr.io`
ACR (Azure Government)	`{registry-name}.azurecr.us`
ACR (Azure China)	`{registry-name}.azurecr.cn`

Scanning Private Images

For private repositories within ACR:

Ensure your credentials have access to the specific repository
When selecting images, navigate to the private repository
Select the tags you want to scan

Image Reference Formats

# Full reference
myregistry.azurecr.io/myapp:v1.0.0

# With digest
myregistry.azurecr.io/myapp@sha256:abc123...

# Latest tag
myregistry.azurecr.io/myapp:latest

Azure DevOps Pipeline Integration

Integrate ACR scanning into your Azure Pipeline:

# azure-pipelines.yml
trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  imageRepository: 'myapp'
  containerRegistry: 'myregistry.azurecr.io'
  tag: '$(Build.BuildId)'

steps:
  - task: Docker@2
    inputs:
      containerRegistry: 'ACR-Connection'
      repository: '$(imageRepository)'
      command: 'buildAndPush'
      Dockerfile: '**/Dockerfile'
      tags: '$(tag)'

  - script: |
      npm install -g @safeguard-sh/cli
      safeguard scan --image $(containerRegistry)/$(imageRepository):$(tag)
      safeguard sbom generate --image $(containerRegistry)/$(imageRepository):$(tag) --output sbom.json
    env:
      SAFEGUARD_API_KEY: $(SafeguardApiKey)
    displayName: 'Security Scan'

Webhook Configuration

Configure ACR webhooks for automatic scanning:

In Azure Portal, go to your ACR
Navigate to Services → Webhooks
Click + Add
Configure:

Setting	Value
Webhook name	safeguard-scan
Service URI	`https://api.safeguard.sh/webhooks/acr`
Custom headers	`X-Safeguard-Key: YOUR_WEBHOOK_KEY`
Actions	push

Troubleshooting

"Unauthorized" error

Verify credentials are correct
Check service principal hasn't expired
Ensure role assignment is at correct scope
Try regenerating credentials

"Repository not found"

Verify image exists in registry
Check repository name is correct (case-sensitive)
Ensure credentials have access to the repository

"Manifest unknown" error

Verify the tag exists
Tag may have been deleted or overwritten
Try using image digest instead of tag

Slow scanning

Large images take longer to analyze
Multi-arch images scan all platforms
Consider scanning specific platform: myimage:tag-amd64

Best Practices

Security

Use Service Principal instead of Admin user
Apply principle of least privilege (ACRPull only)
Rotate credentials regularly
Use repository-scoped tokens for sensitive repos

Organization

Use consistent tagging conventions
Tag images with version and commit SHA
Maintain separate registries for dev/staging/prod
Document which images are scanned

Performance

Scan on push using webhooks
Use specific tags instead of latest
Clean up old images to reduce registry size

Azure CLI Commands

Useful commands for managing ACR access:

# List registries
az acr list --output table

# Show registry details
az acr show --name myregistry --output table

# List repositories
az acr repository list --name myregistry --output table

# List tags
az acr repository show-tags --name myregistry --repository myapp

# Test login
az acr login --name myregistry

# Check role assignments
az role assignment list --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{registry}

Azure Container Registry