Skip to main content

Overview

The Azure ACR (Azure Container Registry) integration enables Backline to scan your container images hosted in Azure for security vulnerabilities. Backline uses a service principal with AcrPull permissions to access and scan your container registries.

What You Can Do

With the ACR integration, Backline can:
  • Scan container images in your Azure registries
  • Analyze image layers for vulnerabilities
  • Detect security issues in dependencies
  • Track image security across versions
  • Monitor compliance with security policies

Prerequisites

Before connecting ACR, ensure you have:
  • Azure CLI installed and logged in (az login)
  • An Azure account with ACR registries
  • Permissions to create service principals and assign roles
  • Access to the resource groups containing your ACRs

Connecting ACR

Backline provides automated scripts to simplify the ACR integration setup process.
1

Run the Installation Script

Use the automated script to create a service principal and grant AcrPull permissions to your ACRs.See the ACR Integration Scripts README for detailed instructions and options.Quick example:
./install_acr_integration.sh --acr myacr --rg mygroup
2

Copy Your Tenant ID

After running the script, it will output your Tenant ID and Backline App ID. Save the Tenant ID - you’ll need it for the Backline UI.
3

Configure in Backline UI

Go to the Integration Hub in Backline and configure the ACR integration using your Tenant ID.

Setup Scripts

The integration uses two main scripts:

What the Setup Script Does

The installation script automatically:
  1. Creates a service principal for Backline AI (App ID: 3fc75f55-e53f-4950-9127-665106cded58)
  2. Assigns the AcrPull role to specified container registries
  3. Outputs your Tenant ID (required for Backline UI configuration)
The scripts are idempotent and safe to run multiple times. Use --dry-run to preview changes before applying them.

After Connection

Once ACR is connected, Backline will:
  1. List all registries and repositories
  2. Begin scanning tagged images
  3. Analyze vulnerabilities in image layers
  4. Provide remediation guidance

Image Scanning

Backline examines:
  • All images in connected registries
  • Base image vulnerabilities
  • Application dependencies within containers
  • Configuration weaknesses
Initial scans may take time depending on image size and quantity. Backline performs incremental scans for efficiency.

Managing the Integration

Adding More ACRs

To add additional ACRs to the integration, simply run the installation script again with the new ACRs: 
./install_acr_integration.sh --acr newacr --rg newgroup
The script is idempotent and will only add new permissions without affecting existing ones.

Removing ACR Access

To remove Backline access from specific ACRs or remove the integration entirely, use the cleanup_acr_integration.sh script: Remove specific ACR: 
./cleanup_acr_integration.sh --acr myacr --rg mygroup
Remove all ACR access and delete service principal: 
./cleanup_acr_integration.sh --all --yes
See the cleanup script documentation for more options.
Removing the service principal (--all) will stop scanning of all Azure container images. Existing findings remain but won’t be refreshed.