steampipe plugin install azuresteampipe plugin install azure
azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_bastion_hostazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway

Table: azure_container_registry - Query Azure Container Registries using SQL

Azure Container Registry is a managed Docker registry service provided by Microsoft Azure for storing and managing Docker images. It is integrated with Azure DevOps, Azure Kubernetes Service (AKS), Docker CLI, and other popular open-source tools. Azure Container Registry allows developers to build, store, and manage container images for Azure deployments in a central registry.

Table Usage Guide

The azure_container_registry table provides insights into Azure Container Registries within Microsoft Azure. As a DevOps engineer, explore registry-specific details through this table, including the status, SKU, network access, and other critical details. Utilize it to uncover information about registries, such as those with private network access, the SKU tier, and the verification of admin user-enabled status.

Examples

Basic info

Explore the status and details of your Azure Container Registry instances, including their creation date and geographical location, to gain insights into the distribution and management of your resources. This can be particularly useful for auditing purposes, resource allocation, and strategizing regional deployment.

select
name,
id,
provisioning_state,
creation_date,
sku_tier,
region
from
azure_container_registry;
select
name,
id,
provisioning_state,
creation_date,
sku_tier,
region
from
azure_container_registry;

List registries not encrypted with a customer-managed key

Determine the areas in which container registries in your Azure environment are not encrypted with a customer-managed key. This can help in identifying potential security gaps and ensuring better data protection.

select
name,
encryption ->> 'status' as encryption_status,
region
from
azure_container_registry;
select
name,
json_extract(encryption, '$.status') as encryption_status,
region
from
azure_container_registry;

Get webhook details of registries

Webhooks in Azure Container Registry provide a way to trigger custom actions in response to events happening within the registry. These events can include the completion of Docker image pushes, or deletions in the container registry. When such an event occurs, Azure Container Registry sends an HTTP POST payload to the webhook's configured URL.

select
name,
w ->> 'location' as webhook_location,
w -> 'properties' -> 'actions' as actions,
w -> 'properties' ->> 'scope' as scope,
w -> 'properties' ->> 'status' as status
from
azure_container_registry,
jsonb_array_elements(webhooks) as w;
select
name,
json_extract(w.value, '$.location') as webhook_location,
json_extract(w.value, '$.properties.actions') as actions,
json_extract(w.value, '$.properties.scope') as scope,
json_extract(w.value, '$.properties.status') as status
from
azure_container_registry,
json_each(webhooks) as w;

List registries not configured with virtual network service endpoint

Determine the areas in which registries are not configured with a virtual network service endpoint. This is useful in identifying potential security risks where network access is allowed without restrictions.

select
name,
network_rule_set ->> 'defaultAction' as network_rule_default_action,
network_rule_set ->> 'virtualNetworkRules' as virtual_network_rules
from
azure_container_registry
where
network_rule_set is not null
and network_rule_set ->> 'defaultAction' = 'Allow';
select
name,
json_extract(network_rule_set, '$.defaultAction') as network_rule_default_action,
json_extract(network_rule_set, '$.virtualNetworkRules') as virtual_network_rules
from
azure_container_registry
where
network_rule_set is not null
and json_extract(network_rule_set, '$.defaultAction') = 'Allow';

List registries with admin user account enabled

Determine the areas in which administrative user accounts are activated within your Azure Container Registries. This is beneficial to ascertain potential security risks and maintain best practices for access control.

select
name,
admin_user_enabled,
region
from
azure_container_registry
where
admin_user_enabled;
select
name,
admin_user_enabled,
region
from
azure_container_registry
where
admin_user_enabled;

Query examples

Control examples

Schema for azure_container_registry

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
admin_user_enabledbooleanIndicates whether the admin user is enabled, or not.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
creation_datetimestamp with time zoneThe creation date of the container registry.
data_endpoint_enabledbooleanEnable a single data endpoint per region for serving data.
data_endpoint_host_namesjsonbA list of host names that will serve data when dataEndpointEnabled is true.
encryptionjsonbThe encryption settings of container registry.
idtextThe unique id identifying the resource in subscription.
identityjsonbThe identity of the container registry.
login_credentialsjsonbThe login credentials for the specified container registry.
login_servertextThe URL that can be used to log into the container registry.
nametext=The name of the resource.
network_rule_bypass_optionstextIndicates whether to allow trusted Azure services to access a network restricted registry. Valid values are: 'AzureServices', 'None'.
network_rule_setjsonbThe network rule set for a container registry.
policiesjsonbThe policies for a container registry.
private_endpoint_connectionsjsonbA list of private endpoint connections for a container registry.
provisioning_statetextThe provisioning state of the container registry at the time the operation was called. Valid values are: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Failed', 'Canceled'.
public_network_accesstextIndicates whether or not public network access is allowed for the container registry. Valid values are: 'Enabled', 'Disabled'.
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
sku_nametextThe SKU name of the container registry. Required for registry creation. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'.
sku_tiertextThe SKU tier based on the SKU name. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'.
statustextThe current status of the resource.
status_messagetextThe detailed message for the status, including alerts and error messages.
status_timestamptimestamp with time zoneThe timestamp when the status was changed to the current value.
storage_account_idtextThe resource ID of the storage account. Only applicable to Classic SKU.
subscription_idtextThe Azure Subscription ID in which the resource is located.
system_datajsonbMetadata pertaining to creation and last modification of the resource.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextThe type of the resource.
usagesjsonbSpecifies the quota usages for the specified container registry.
webhooksjsonbWebhooks in Azure Container Registry provide a way to trigger custom actions in response to events happening within the registry.
zone_redundancytextIndicates whether or not zone redundancy is enabled for this container registry. Valid values are: 'Enabled', 'Disabled'.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_container_registry