azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_backup_policyazure_bastion_hostazure_batch_accountazure_cdn_frontdoor_profileazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_data_protection_backup_jobazure_data_protection_backup_vaultazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_lighthouse_assignmentazure_lighthouse_definitionazure_locationazure_log_alertazure_log_analytics_workspaceazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_private_endpointazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resourceazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway
Table: azure_container_registry - Query Azure Container Registries using SQL
Azure Container Registry is a managed Docker registry service provided by Microsoft Azure for storing and managing Docker images. It is integrated with Azure DevOps, Azure Kubernetes Service (AKS), Docker CLI, and other popular open-source tools. Azure Container Registry allows developers to build, store, and manage container images for Azure deployments in a central registry.
Table Usage Guide
The azure_container_registry table provides insights into Azure Container Registries within Microsoft Azure. As a DevOps engineer, explore registry-specific details through this table, including the status, SKU, network access, and other critical details. Utilize it to uncover information about registries, such as those with private network access, the SKU tier, and the verification of admin user-enabled status.
Examples
Basic info
Explore the status and details of your Azure Container Registry instances, including their creation date and geographical location, to gain insights into the distribution and management of your resources. This can be particularly useful for auditing purposes, resource allocation, and strategizing regional deployment.
select name, id, provisioning_state, creation_date, sku_tier, regionfrom azure_container_registry;select name, id, provisioning_state, creation_date, sku_tier, regionfrom azure_container_registry;List registries not encrypted with a customer-managed key
Determine the areas in which container registries in your Azure environment are not encrypted with a customer-managed key. This can help in identifying potential security gaps and ensuring better data protection.
select name, encryption ->> 'status' as encryption_status, regionfrom azure_container_registry;select name, json_extract(encryption, '$.status') as encryption_status, regionfrom azure_container_registry;Get webhook details of registries
Webhooks in Azure Container Registry provide a way to trigger custom actions in response to events happening within the registry. These events can include the completion of Docker image pushes, or deletions in the container registry. When such an event occurs, Azure Container Registry sends an HTTP POST payload to the webhook's configured URL.
select name, w ->> 'location' as webhook_location, w -> 'properties' -> 'actions' as actions, w -> 'properties' ->> 'scope' as scope, w -> 'properties' ->> 'status' as statusfrom azure_container_registry, jsonb_array_elements(webhooks) as w;select name, json_extract(w.value, '$.location') as webhook_location, json_extract(w.value, '$.properties.actions') as actions, json_extract(w.value, '$.properties.scope') as scope, json_extract(w.value, '$.properties.status') as statusfrom azure_container_registry, json_each(webhooks) as w;List registries not configured with virtual network service endpoint
Determine the areas in which registries are not configured with a virtual network service endpoint. This is useful in identifying potential security risks where network access is allowed without restrictions.
select name, network_rule_set ->> 'defaultAction' as network_rule_default_action, network_rule_set ->> 'virtualNetworkRules' as virtual_network_rulesfrom azure_container_registrywhere network_rule_set is not null and network_rule_set ->> 'defaultAction' = 'Allow';select name, json_extract(network_rule_set, '$.defaultAction') as network_rule_default_action, json_extract(network_rule_set, '$.virtualNetworkRules') as virtual_network_rulesfrom azure_container_registrywhere network_rule_set is not null and json_extract(network_rule_set, '$.defaultAction') = 'Allow';List registries with admin user account enabled
Determine the areas in which administrative user accounts are activated within your Azure Container Registries. This is beneficial to ascertain potential security risks and maintain best practices for access control.
select name, admin_user_enabled, regionfrom azure_container_registrywhere admin_user_enabled;select name, admin_user_enabled, regionfrom azure_container_registrywhere admin_user_enabled;Query examples
Control examples
- All Controls > Container Registry > Container registries admin user should be disabled
- All Controls > Container Registry > Container registries public network access should be disabled
- All Controls > Container Registry > Container registries quarantine policy should be enabled
- All Controls > Container Registry > Container registries retention policy should be enabled
- All Controls > Container Registry > Container registries should be geo-replicated
- All Controls > Container Registry > Container registries trust policy should be enabled
- Container registries should be encrypted with a customer-managed key
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Container Registry should use a virtual network service endpoint
Schema for azure_container_registry
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| admin_user_enabled | boolean | Indicates whether the admin user is enabled, or not. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| creation_date | timestamp with time zone | The creation date of the container registry. | |
| data_endpoint_enabled | boolean | Enable a single data endpoint per region for serving data. | |
| data_endpoint_host_names | jsonb | A list of host names that will serve data when dataEndpointEnabled is true. | |
| encryption | jsonb | The encryption settings of container registry. | |
| id | text | The unique id identifying the resource in subscription. | |
| identity | jsonb | The identity of the container registry. | |
| login_credentials | jsonb | The login credentials for the specified container registry. | |
| login_server | text | The URL that can be used to log into the container registry. | |
| name | text | = | The name of the resource. |
| network_rule_bypass_options | text | Indicates whether to allow trusted Azure services to access a network restricted registry. Valid values are: 'AzureServices', 'None'. | |
| network_rule_set | jsonb | The network rule set for a container registry. | |
| policies | jsonb | The policies for a container registry. | |
| private_endpoint_connections | jsonb | A list of private endpoint connections for a container registry. | |
| provisioning_state | text | The provisioning state of the container registry at the time the operation was called. Valid values are: 'Creating', 'Updating', 'Deleting', 'Succeeded', 'Failed', 'Canceled'. | |
| public_network_access | text | Indicates whether or not public network access is allowed for the container registry. Valid values are: 'Enabled', 'Disabled'. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| sku_name | text | The SKU name of the container registry. Required for registry creation. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'. | |
| sku_tier | text | The SKU tier based on the SKU name. Valid values are: 'Classic', 'Basic', 'Standard', 'Premium'. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| status | text | The current status of the resource. | |
| status_message | text | The detailed message for the status, including alerts and error messages. | |
| status_timestamp | timestamp with time zone | The timestamp when the status was changed to the current value. | |
| storage_account_id | text | The resource ID of the storage account. Only applicable to Classic SKU. | |
| subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
| system_data | jsonb | Metadata pertaining to creation and last modification of the resource. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | The type of the resource. | |
| usages | jsonb | Specifies the quota usages for the specified container registry. | |
| webhooks | jsonb | Webhooks in Azure Container Registry provide a way to trigger custom actions in response to events happening within the registry. | |
| zone_redundancy | text | Indicates whether or not zone redundancy is enabled for this container registry. Valid values are: 'Enabled', 'Disabled'. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_container_registry