Add Azure.ACR.ExportPolicy rule to disable container registry exports #3468
Conversation
…xports Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
Copilot
AI
changed the title
Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
| $ruleResult | Should -Not -BeNullOrEmpty; | ||
| $ruleResult.Length | Should -Be 2; | ||
| $ruleResult.TargetName | Should -BeIn 'registry-K', 'registry-L'; | ||
| $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.policies.exportPolicy.status', 'properties.publicNetworkAccess'; |
There was a problem hiding this comment.
| $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.policies.exportPolicy.status', 'properties.publicNetworkAccess'; | |
| $ruleResult.Detail.Reason.Path | Should -BeIn 'properties.policies.exportPolicy.status'; |
There was a problem hiding this comment.
Updated test assertion to only check for export policy path since public network access check was removed. Commit: f3da01b
| az acr update --name MyRegistry --public-network-enabled false | ||
| az acr config export-policy update --registry MyRegistry --status disabled |
There was a problem hiding this comment.
Instead of MyRegistry use a placeholder <name>.
There was a problem hiding this comment.
Replaced "MyRegistry" with "" placeholder in CLI examples. Commit: f3da01b
| To deploy registries that pass this rule: | ||
|
|
||
| - Set `properties.policies.exportPolicy.status` to `disabled`. | ||
| - Set `properties.publicNetworkAccess` to `Disabled`. |
There was a problem hiding this comment.
Remove setting properties.publicNetworkAccess to Disabled for both Azure template and Bicep examples.
There was a problem hiding this comment.
Removed publicNetworkAccess settings from both Azure template and Bicep examples. Commit: f3da01b
| reviewed: 2025-07-09 | ||
| severity: Important | ||
| pillar: Security | ||
| category: DP:02 Data Protection |
There was a problem hiding this comment.
| category: DP:02 Data Protection | |
| category: SE:08 Hardening resources |
There was a problem hiding this comment.
Changed category from "DP:02 Data Protection" to "SE:08 Hardening resources". Commit: f3da01b
|
|
||
| ## LINKS | ||
|
|
||
| - [Data loss prevention for Azure Container Registry](https://learn.microsoft.com/en-gb/azure/container-registry/data-loss-prevention) |
There was a problem hiding this comment.
Add an additional link first in the list for: [SE:08 Hardening resources](https://learn.microsoft.com/en-us/azure/well-architected/security/harden-resources) which is the reference for the WAF pillar this aligns to.
There was a problem hiding this comment.
Added SE:08 Hardening resources link as the first link in the LINKS section. Commit: f3da01b
| ### Configure with Azure PowerShell | ||
|
|
||
| ```powershell | ||
| Update-AzContainerRegistry -Name MyRegistry -ResourceGroupName MyResourceGroup -PublicNetworkAccess Disabled |
There was a problem hiding this comment.
Also use placeholders for name and resource group name.
There was a problem hiding this comment.
Updated PowerShell example to use placeholders and corrected to use Azure CLI since PowerShell doesn't have direct export policy support. Commit: f3da01b
Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
|
|
||
| ## LINKS | ||
|
|
||
| - [SE:08 Hardening resources](https://learn.microsoft.com/en-us/azure/well-architected/security/harden-resources) |
There was a problem hiding this comment.
| - [SE:08 Hardening resources](https://learn.microsoft.com/en-us/azure/well-architected/security/harden-resources) | |
| - [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources) |
There was a problem hiding this comment.
Fixed URL format to remove the locale prefix. Commit: febb866
|
|
||
| ## SYNOPSIS | ||
|
|
||
| Disable export of artifacts from Azure container registry to ensure data is accessed solely via the data plane. |
There was a problem hiding this comment.
In one sentence, update this synopsis to reflect what the problem is instead of what the resolution is.
There was a problem hiding this comment.
Updated synopsis to describe the problem (data exfiltration risk) instead of the solution. Commit: febb866
…ution Co-authored-by: BernieWhite <13513058+BernieWhite@users.noreply.github.com>
This PR implements a new security rule
Azure.ACR.ExportPolicy(AZR-000403) that ensures Azure Container Registry exports are disabled to prevent data exfiltration.What this rule does
The rule validates that:
properties.policies.exportPolicy.statusis set to"disabled"properties.publicNetworkAccessis set to"Disabled"(required for export policy)This prevents data movement via
acr importoracr transfercommands, ensuring registry data is accessed solely through the data plane (docker pull).Changes made
Azure.ACR.ExportPolicyrule inAzure.ACR.Rule.ps1PSRule-rules.psd1Azure.ACR.Tests.ps1andResources.ACR.jsonTest scenarios
References
Fixes #3444.
Warning
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
www.powershellgallery.compwsh ./build.ps1 -Build(dns block)pwsh -c Install-Module PSRule -Force -Scope CurrentUser(dns block)pwsh -c Install-Module Pester -Force -Scope CurrentUser(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.