Control: Security Center container image scan should be enabled

Description

This control ensures that image scan for container registries are enabled.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.securitycenter_container_image_scan_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.securitycenter_container_image_scan_enabled --share

SQL

This control uses a named query:

select
  sub_assessment.id as resource,
  case
    when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then 'ok'
    else 'alarm'
  end as status,
  case
    when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then sub_assessment.name || ' container image scan enabled.'
    else sub_assessment.name || ' container image scan disabled.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_security_center_sub_assessment sub_assessment
  right join azure_subscription sub on sub_assessment.subscription_id = sub.subscription_id;

Control: Security Center container image scan should be enabled

Description

Usage

SQL

Tags