🔐 Container Security in Azure: Detecting & Fixing Vulnerabilities

👉 "Think of containers like lunchboxes for your apps—how do we keep them safe?"

🔒 Containers are the backbone of modern cloud applications, but are they secure? What happens if a hacker exploits a vulnerability inside a container? In this post, we’ll explore container security in Azure, scan a vulnerable container for security risks, and learn how to protect applications in production.

(What are containers; Easy Explanation)

Imagine you have a lunchbox 📦. Inside, you pack your food (your app).
A container is like that lunchbox—it holds an app and everything it needs to run.
Containers help apps run anywhere (like carrying lunch to school, home, or a picnic).

Why are containers awesome?

✅ Fast 🚀 (No need to start a full kitchen, just open the lunchbox).
✅ Portable 🌍 (Works anywhere).
✅ Saves space 💾 (Shares the same kitchen/OS with others).

Why Do We Need Security?

Imagine someone poisons your lunch 🍔😵!
Or steals your lunchbox 🏃‍♂️💨!
Or you forget to close your lunchbox properly and bugs get in 🐜!
That’s what happens when containers aren’t secured in the cloud.

👨‍💻 Hackers can:
❌ Change your app.
❌ Steal data.
❌ Make it stop working.

Example: Imagine you run a food delivery app inside a container. If an attacker hacks into it, they can steal customer orders, send fake promotions, or even delete your entire database!

How Does Azure Keep Containers Safe?

Azure has security guards that help keep your containers safe! 👮‍♂️🚔

Danger 🚨	How to Stay Safe in Azure 🔐
🛑 Bad food (Bad Code in Containers)	Scan your container lunchbox before using it. (Azure Defender)
🔓 Lunchbox left open (No Security)	Lock it! Use passwords and permissions. (RBAC)
🌍 Lunchbox stolen (Hacker Attack)	Hide it in a safe place. (Private Network, Firewall)
🐛 Food goes bad (Old, insecure code)	Always check for updates. (Azure Policy)

⚠️ Common Security Risks in Containers

Before jumping into the demo, here are some common security vulnerabilities:

🔴 Hardcoded Secrets – Storing passwords directly in code.

🔴 SQL Injection – Hackers stealing data via unsecured database queries.

🔴 Outdated Software – Older versions of software often have security holes.

🔴 Open APIs – Exposed services allow unauthorized access.

💡 The Solution? Regular scanning, secure configurations, and automated security tools.

🛠 Demo 1: Scanning a Vulnerable Container in Azure container registry (ACR)

👉 Think of this as checking your lunchbox for bad food before eating! 🧐

📝 Overview of the Demo

We’ll:

1️⃣ Deploy a vulnerable container to Azure Container Registry (ACR).

2️⃣ Scan the container using Microsoft Defender for Containers.

3️⃣ Review the security vulnerabilities detected in the scan.

4️⃣ Apply security best practices to fix issues.

📌 Prerequisites: What You Need to Follow Along in this Demo Lab

✅ Basic knowledge of containers and Docker (no worries if you’re new, I’ll simplify!)

✅ An active Azure subscription (create a free account at Azure Free Tier)

✅ Azure CLI installed (Download Azure CLI)

✅ Docker installed (Install Docker)

✅ Microsoft Defender for Cloud-enabled (Guide)

📌 Step 1: Set Up Azure Container Registry (ACR)

First, let’s log in to Azure and create a private container registry.

🔹 Commands:

az login  # First Log in to Azure

az group create --name MyResourceGroup --location eastus #  This creates a resource group called MyResourceGroup in the East US region.
az acr create --resource-group MyResourceGroup --name myvulnerableregistry --sku Basic # This creates a private container registry where we’ll store our vulnerable container.

✅ If it fails, confirm if you have Azure CLI properly installed

📌 Step 2: Log in to ACR

Before pushing images, log in to your Azure Container Registry.

az acr login --name myvulnerableregistry

✅ If successful, you'll see a message like:
Login succeeded.

📌 Step 3: Pull, tag & Push the Vulnerable Container to ACR

We’ll use the OWASP Juice Shop container, which is deliberately insecure.

🔹 Commands:


# Pull the vulnerable container from Docker Hub
docker pull bkimminich/juice-shop

# Tag it for Azure
docker tag bkimminich/juice-shop myvulnerableregistry.azurecr.io/juice-shop:v1

# Push it to Azure Container Registry
docker push myvulnerableregistry.azurecr.io/juice-shop:v1

✅ Explanation:

docker pull downloads the vulnerable container from the internet.
docker tag renames the container for Azure.
docker push uploads it to Azure Container Registry (ACR).

If it fails, confirm if you have docker installed and is in running state

📌 Step 4: Scan the Container in Azure Defender

Once the container is uploaded, we scan it for vulnerabilities.

🔹 Steps in Azure Portal:

1️⃣ Go to Azure Portal → Microsoft Defender for Cloud

2️⃣ Click Workload Protections → Containers

3️⃣ Select Vulnerability Assessment

4️⃣ Find our uploaded container (Juice Shop) and check the security scan results.

🔎 What We’ll See: A list of security vulnerabilities inside the container.

📌 Step 4: Understanding the Vulnerabilities Found

The scan may show security issues like:

❌ Hardcoded passwords in the application code.

❌ Outdated Node.js runtime, which attackers can exploit.

❌ Weak authentication, allowing anyone to log in.

🎯 The Goal: Fix these issues before deploying the container to production.

🎬 DEMO 2: Lock the Container with Role-Based Access Control (RBAC)

👉 Think of this as locking your lunchbox so only trusted people can open it! 🔒

Step 1: Open Access Control (IAM) in ACR

1️⃣ Go to Azure Portal → Open Container Registry (mysecurecontainer).
2️⃣ Click Access Control (IAM) → Click + Add Role Assignment.
3️⃣ Choose Role → Select Reader (Read-only access).
4️⃣ Assign it to a User or Service Principal (e.g., yourself for testing).
5️⃣ Click Review and assign✅.

🎉 Now only trusted users can access the container!

🛡 How to Secure Your Containers in Azure

✅ Scan containers before deployment (use Microsoft Defender).

✅ Store secrets securely (use Azure Key Vault, not environment variables).

✅ Use trusted base images (official images from Docker Hub).

✅ Enable Azure Web Application Firewall (WAF) to block attacks.

✅ Apply Role-Based Access Control (RBAC) to limit container access.

Common Questions on Container Security

🔥 Q1: What happens if my container is hacked?

✅ If a hacker exploits a container, they can steal data, inject malware, or take control of the app.

✅ Prevent it by scanning containers, limiting access, and using Azure Security tools.

🔥 Q2: How do I know if my container has vulnerabilities?

✅ Use Microsoft Defender for Containers to scan your images.

✅ Alternative tools: Trivy (trivy image <image-name>) and Docker Scout.

🔥 Q3: Can I block attackers automatically in Azure?

✅ Yes! Azure has built-in security tools:

Microsoft Defender for Containers – Alerts on security threats.
Azure Web Application Firewall (WAF) – Blocks suspicious traffic.
Azure Security Center – Gives security recommendations.

🚀 Final Takeaways & Next Steps

🔹 Lesson 1: Scan containers before deployment to prevent security risks.

🔹 Lesson 2: Fix vulnerabilities early to avoid attacks.

🔹 Lesson 3: Use Azure Defender & WAF for continuous protection.

✅ Defender is like a security guard 🛡️.
✅ Scanning is like checking food before eating 🍔.
✅ RBAC is like locking your lunchbox 🔒.

🌟 Ready to Secure Your Containers?

💡 Try it out! Deploy a vulnerable container, scan it, and fix security flaws.

💬 Have questions or want to learn more? Drop a comment below!

📢 Follow me for more cloud security tips! 🚀🔐

Remember to clean up your resources to avoid unncessarry costs
az group delete --name MyResourceGroup --yes --no-wait
✅ This removes all resources from Azure to avoid extra costs.

📚 Free Resources to Learn More About Container Security

🔹 Microsoft Learn – Secure your containers

🔹 Azure Defender for Containers Documentation

🔹Secure Your Azure Resources with Azure RBAC

🔹RBAC documentaion