@ -0,0 +1,155 @@
---
description: Integrate Azure Container Registry with Docker Scout
keywords: docker scout, acr, azure, integration, image analysis, security, cves
title: Azure Container Registry integration
---
> **Beta feature**
>
> The Azure Container Registry (ACR) integration is currently in [Beta ](../../../release-lifecycle.md#beta ).
{ .experimental }
Integrating Docker Scout with Azure Container Registry (ACR) lets you view
image insights for images hosted in ACR repositories. After integrating Docker
Scout with ACR and activating Docker Scout for a repository, pushing an image
to the repository automatically triggers image analysis. You can view image
insights using the Docker Scout Dashboard, or the `docker scout` CLI commands.
## How it works
To help you integrate your Azure Container Registry with Docker Scout, you can
use a custom Azure Resource Manager (ARM) template that automatically creates
the necessary infrastructure in Azure for you:
- An EventGrid Topic and Subscription for Image push and delete events.
- A read-only authorization token for the registry, used to list repositories,
and ingest the images.
When the resources have been created in Azure, you can enable the integration
for image repositories in the integrated ACR instance. Once you've enabled a
repository, pushing new images triggers image analysis automatically. The
analysis results appear in the Docker Scout Dashboard.
If you enable the integration on a repository that already contains images,
Docker Scout pulls and analyzes the latest image version automatically.
### ARM template
The following table describes the configuration resources.
> **Note**
>
> Creating these resources incurs a small, recurring cost on the Azure account.
> The **Cost** column in the table represents an estimated monthly cost of the
> resources, when integrating an ACR registry that gets 100 images pushed per
> day.
>
> The Egress cost varies depending on usage, but it’
> the first 100 GB are free.
| Azure | Resource | Cost |
| ----------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------------------- |
| Event Grid system topic | Subscribe to Azure Container Registry events (image push and image delete) | Free |
| Event subscription | Send Event Grid events to Scout via a Webhook subscription | $0.60 for every 1M messages. First 100k for free. |
| Registry Token | Read-only token used for Scout to list the repositories, and pull images from the registry | Free |
The following JSON document shows the ARM template Docker Scout uses to create
the Azure resources.
{{< accordion title = "JSON template" > }}
{{< acr-template.inline > }}
{{ $data := data.GetJSON "https://prod-scout-integration-templates.s3.amazonaws.com/latest/acr_token_template.json" }}
```json
{{ transform.Remarshal "json" $data }}
```
{{< / acr-template.inline > }}
{{< / accordion > }}
## Integrate a registry
1. Go to [Integrations ](https://scout.docker.com/settings/integrations/ ) on the
Docker Scout Dashboard.
2. Select the **Analyze my images from another registry** filter option.
3. Find **Azure Container Registry** in the list, and select **Integrate** .
4. In the **How to integrate** section, enter a configuration name for this
integration. Docker Scout uses this label as a display name for the
integration.
5. Select **Next** .
6. Copy the webhook URL.
7. Select **Deploy to Azure** to open the template deployment wizard in Azure.
You may be prompted to sign in to your Azure account if you're not already
signed in.
8. In the template wizard, configure your deployment:
- **Resource group** : enter the same resource group as you're using for the
container registry. The Docker Scout resources must be deployed to the
same resource group as the registry.
- **Docker Scout Webhook** : paste the webhook you copied from Docker Scout
earlier.
- **Registry name** : enter the name of the ACR registry that you want to
integrate. The registry name is the same as the subdomain of the registry
hostname.
9. Select **Review + create** , and then **Create** to deploy the template.
10. Wait until the deployment is complete.
11. Use the search function in Azure to navigate to the **Container registry**
resource that you're looking to integrate.
12. On the container registry page, select **Tokens** under **Registry
permissions**.
13. Select the `docker-scout-readonly-token` and generate a new password for
this token.
14. Copy the generated password and head back to the Docker Scout Dashboard to
finalize the integration.
15. Enter the **Registry hostname** and paste the generated password into the
**Registry token** field.
16. Select **Enable integration** .
After selecting **Enable integration** , Docker Scout performs a connection test
to verify the integration. If the verification was successful, you're
redirected to the Azure registry summary page, which shows you all your Azure
integrations for the current organization.
Next, activate Docker Scout for the repositories that you want to analyze in
[repository settings ](../../dashboard.md#repository-settings ). When you enable
After activating repositories, images that you push are analyzed by Docker
Scout. The analysis results appear in the Docker Scout Dashboard.
If your repository already contains images, Docker Scout pulls and analyzes the
latest image version automatically.
## Remove an integration
> **Important**
>
> Removing the integration in the Docker Scout Dashboard doesn't automatically
> remove the resources created in Azure.
{ .important }
To remove an ACR integration:
1. Go to [Integrations ](https://scout.docker.com/settings/integrations/ ) on the
Docker Scout Dashboard.
2. Select the **Analyze my images from another registry** filter option.
3. Find **Azure Container Registry** in the list, and select **Manage** .
4. Find the ACR integration that you want to remove, and select the **Remove**
button.
5. In the dialog that opens, confirm by selecting **Remove** .
6. After removing the integration in the Docker Scout Dashboard, also remove
the Azure resources related to the integration:
- The `docker-scout-readonly-token` token for the container registry.
- The `docker-scout-repository` Event Grid System Topic.
David Karlsson
GitHub