Merge pull request #18800 from dvdksn/scout-acr

scout: acr integration

content/scout/integrations/_index.md

@@ -25,6 +25,7 @@ The following container registry integrations are available:
 
 - [Artifactory](./registry/artifactory.md)
 - [Amazon Elastic Container Registry](./registry/ecr.md)
+- [Azure Container Registry](./registry/acr.md) {{< badge color=violet text=Beta >}}
 
 ### Continuous Integration
 

content/scout/integrations/registry/acr.md

@@ -0,0 +1,155 @@
+---
+description: Integrate Azure Container Registry with Docker Scout
+keywords: docker scout, acr, azure, integration, image analysis, security, cves
+title: Azure Container Registry integration
+---
+
+> **Beta feature**
+>
+> The Azure Container Registry (ACR) integration is currently in [Beta](../../../release-lifecycle.md#beta).
+{ .experimental }
+
+Integrating Docker Scout with Azure Container Registry (ACR) lets you view
+image insights for images hosted in ACR repositories. After integrating Docker
+Scout with ACR and activating Docker Scout for a repository, pushing an image
+to the repository automatically triggers image analysis. You can view image
+insights using the Docker Scout Dashboard, or the `docker scout` CLI commands.
+
+## How it works
+
+To help you integrate your Azure Container Registry with Docker Scout, you can
+use a custom Azure Resource Manager (ARM) template that automatically creates
+the necessary infrastructure in Azure for you:
+
+- An EventGrid Topic and Subscription for Image push and delete events.
+- A read-only authorization token for the registry, used to list repositories,
+  and ingest the images.
+
+When the resources have been created in Azure, you can enable the integration
+for image repositories in the integrated ACR instance. Once you've enabled a
+repository, pushing new images triggers image analysis automatically. The
+analysis results appear in the Docker Scout Dashboard.
+
+If you enable the integration on a repository that already contains images,
+Docker Scout pulls and analyzes the latest image version automatically.
+
+### ARM template
+
+The following table describes the configuration resources.
+
+> **Note**
+>
+> Creating these resources incurs a small, recurring cost on the Azure account.
+> The **Cost** column in the table represents an estimated monthly cost of the
+> resources, when integrating an ACR registry that gets 100 images pushed per
+> day.
+>
+> The Egress cost varies depending on usage, but it’s around $0.1 per GB, and
+> the first 100 GB are free.
+
+| Azure                   | Resource                                                                                   | Cost                                              |
+| ----------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------------------- |
+| Event Grid system topic | Subscribe to Azure Container Registry events (image push and image delete)                 | Free                                              |
+| Event subscription      | Send Event Grid events to Scout via a Webhook subscription                                 | $0.60 for every 1M messages. First 100k for free. |
+| Registry Token          | Read-only token used for Scout to list the repositories, and pull images from the registry | Free                                              |
+
+The following JSON document shows the ARM template Docker Scout uses to create
+the Azure resources.
+
+{{< accordion title="JSON template" >}}
+
+{{< acr-template.inline >}}
+{{ $data := data.GetJSON "https://prod-scout-integration-templates.s3.amazonaws.com/latest/acr_token_template.json" }}
+
+```json
+{{ transform.Remarshal "json" $data }}
+```
+
+{{< /acr-template.inline >}}
+
+{{< /accordion >}}
+
+## Integrate a registry
+
+1. Go to [Integrations](https://scout.docker.com/settings/integrations/) on the
+   Docker Scout Dashboard.
+2. Select the **Analyze my images from another registry** filter option.
+3. Find **Azure Container Registry** in the list, and select **Integrate**.
+4. In the **How to integrate** section, enter a configuration name for this
+   integration. Docker Scout uses this label as a display name for the
+   integration.
+5. Select **Next**.
+6. Copy the webhook URL.
+7. Select **Deploy to Azure** to open the template deployment wizard in Azure.
+
+   You may be prompted to sign in to your Azure account if you're not already
+   signed in.
+
+8. In the template wizard, configure your deployment:
+
+   - **Resource group**: enter the same resource group as you're using for the
+     container registry. The Docker Scout resources must be deployed to the
+     same resource group as the registry.
+
+   - **Docker Scout Webhook**: paste the webhook you copied from Docker Scout
+     earlier.
+
+   - **Registry name**: enter the name of the ACR registry that you want to
+     integrate. The registry name is the same as the subdomain of the registry
+     hostname.
+
+9. Select **Review + create**, and then **Create** to deploy the template.
+
+10. Wait until the deployment is complete.
+11. Use the search function in Azure to navigate to the **Container registry**
+    resource that you're looking to integrate.
+
+12. On the container registry page, select **Tokens** under **Registry
+    permissions**.
+
+13. Select the `docker-scout-readonly-token` and generate a new password for
+    this token.
+
+14. Copy the generated password and head back to the Docker Scout Dashboard to
+    finalize the integration.
+
+15. Enter the **Registry hostname** and paste the generated password into the
+    **Registry token** field.
+
+16. Select **Enable integration**.
+
+After selecting **Enable integration**, Docker Scout performs a connection test
+to verify the integration. If the verification was successful, you're
+redirected to the Azure registry summary page, which shows you all your Azure
+integrations for the current organization.
+
+Next, activate Docker Scout for the repositories that you want to analyze in
+[repository settings](../../dashboard.md#repository-settings). When you enable
+
+After activating repositories, images that you push are analyzed by Docker
+Scout. The analysis results appear in the Docker Scout Dashboard.
+If your repository already contains images, Docker Scout pulls and analyzes the
+latest image version automatically.
+
+## Remove an integration
+
+> **Important**
+>
+> Removing the integration in the Docker Scout Dashboard doesn't automatically
+> remove the resources created in Azure.
+{ .important }
+
+To remove an ACR integration:
+
+1. Go to [Integrations](https://scout.docker.com/settings/integrations/) on the
+   Docker Scout Dashboard.
+2. Select the **Analyze my images from another registry** filter option.
+3. Find **Azure Container Registry** in the list, and select **Manage**.
+4. Find the ACR integration that you want to remove, and select the **Remove**
+   button.
+5. In the dialog that opens, confirm by selecting **Remove**.
+6. After removing the integration in the Docker Scout Dashboard, also remove
+   the Azure resources related to the integration:
+
+   - The `docker-scout-readonly-token` token for the container registry.
+   - The `docker-scout-repository` Event Grid System Topic.

data/redirects.yml

@@ -605,6 +605,8 @@
   - "/go/scout-env/"
 "/scout/integrations/environment/sysdig/":
   - "/go/scout-sysdig/"
+"/scout/integrations/registry/acr/":
+  - "/go/scout-acr/"
 
 # Build links
 "/desktop/use-desktop/builds/":

data/toc.yaml

@@ -1392,6 +1392,8 @@ Manuals:
           path: /scout/integrations/registry/artifactory/
         - title: Elastic Container Registry
           path: /scout/integrations/registry/ecr/
+        - title: Azure Container Registry
+          path: /scout/integrations/registry/acr/
       - sectiontitle: Continuous integration
         section:
         - title: GitHub Actions