跳到主要内容

Enable Registry Access

Implementation Effort: Medium – Requires configuration of registry connectors and credentials for external container registries.

User Impact: Low – Registry access setup is handled by security and DevOps teams; end users are not directly affected.

Overview

Enabling registry access in Microsoft Defender for Containers allows Defender to scan container images stored in external registries such as Docker Hub, Google Artifact Registry, and Google Container Registry. This enables vulnerability assessment and compliance monitoring of container images before they are deployed into Kubernetes environments.

For Docker Hub

  1. Create a dedicated Docker Hub user with access to all organizational repositories.
  2. Assign the user an Editor role and verify the email invitation.
  3. Generate a read-only access token for this user.
  4. Use the Docker Hub connector in Microsoft Defender for Cloud to provide the username and token 1.

For Google Registries

  1. Navigate to Microsoft Defender for Cloud > Environment settings.
  2. Select your GCP project and go to Defender plans.
  3. Enable Registry access by toggling it to On.
  4. This enables vulnerability scanning for images in Google Artifact Registry and Google Container Registry 2.

This capability supports the "Verify Explicitly" principle of Zero Trust by ensuring that only verified and scanned container images are used in production, reducing the risk of deploying vulnerable or malicious code.

Reference