How to integrate Docker Scout with Azure Container Registry

Container Security

Featured image

Before starting, let’s understand what exactly is Docker Scout? Docker Scout is a container image scanning tool built within Docker Desktop as well as CLI with mindset of Shift-Left approach.It lies on the top of the Docker ecosystem and helps developers to find container image vulnerabilities at the time of image build,thus helps organisation to ship secure entire supply chain.Now one might be confused is that Docker-Scout another CNAPP tool? As per official documentation,it uses SBOM(Software Bill of Material) with 17+ advisory Databases to analyze and scan images with real time CVEs updates.

Now let’s see how we can integrate with Azure Container Registry to scan real time image.

ACR+DockerScout is in Early Access phase at the time of writing this blog

Infra Prerequisites:

  1. Active Azure Subscription

  2. Resource Group (Make sure region of resource group should match with ACR region and ACR region integration is not available for all region so refer official docs)

  3. ACR (Azure Container Registry)
  4. Event Grid with System Topic Deployed
  5. Event Hub Namespace
  6. Inside ACR,enable Token from Repository Permission Blade
  7. Docker Hub account, if you don’t have create New one
  8. Docker socut logged in with Docker hub account
  9. Locally Docker Installed, if using Laptop CLI

LAB In this lab I have taken OWASP Juice Shop App as container image to scan with Docker Scout.

Azure Container Registry(Azure portal)

  docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 -d bkimminich/juice-shop 

You will see OWASP Juice Shop application can be accessible over port 3000. This is vulnerable application provided by OWASP for pentesting.

Local APp

 docker tag bkimminich/juice-shop

Replace my loginserver with yours.

 docker push


Confirm from Azure portal Repositories blade Image

Now let’s integrate ACR with SCOUT for Vulnerability scan

Docker Scout Integration



after that, you will get ARM template to deploy, basically this ARM template will deploy a Event Grid system topic from Azure Service Events and Registry token .


Make sure to deploy Docker Scout resources to the same resource group as the registry.Then review and create. After successful deployment go to your ACR–> Tokens from Repository Permission blade and copy token, then generate password. You can set password expiration date too. But remember to copy and save password locally, once window is close same password can’t be retrived. You need to regenerate.


Copy the same Token/password put into Docker Scout Registry Token blade and click on enable integration.


After 5 min, status on Docker Scout will change to connected

image Now to start SCAN,select Image and activate Scan Analysis image image

Jump over image blade,there our ACR image is scanned with list of vulnerabilities. Image

Jump over Vulnerabilites blade for more details image

To mitigate vulnerabilities, jump to patch blade and follow the patch released by specific vendor. image

We can check all centralised details from overview blade too. image

and we can deploy our own custom policies from Ploicies blade to set rules.

Thanks for reading blog, keep troubleshooting!