docker pull ghcr.io/schubergphilis/azureenergylabeler:<VERSION>
Lists all Microsoft Defender for Cloud findings and recommendations and calculate an Energy Label. Container image packaged with azureenergylabelercli
This container needs to run with Security Reader permissions to be able to list security findings and calculare the energy label.
| label | high | medium | low |
|---|---|---|---|
| A => | 0 | up to 10 | up to 20 |
| B ==> | up to 10 | up to 20 | up to 40 |
| C ===> | up to 15 | up to 30 | up to 60 |
| D ====> | up to 20 | up to 40 | up to 80 |
| E =====> | up to 25 | up to 50 | up to 100 |
Every command line argument is also reflected in an environment variable which gives flexibility. Command line arguments take precedence over environment variables.
| description | CLI argument | environment variable | example value |
|---|---|---|---|
| Tenand ID (required) | --tenant-id |
AZURE_LABELER_TENANT_ID |
00000000-0000-0000-0000-000000000000 |
| Path to export the results | --export-path |
AZURE_LABELER_EXPORT_PATH |
/local/path or Storage Account Url with SAS token https://sa.blob.windows.net/container/?sas_token |
| Export only number of findings and energy label | --export-metrics |
AZURE_LABELER_EXPORT_METRICS |
false (default) |
| Export all findings information along with energy label | --export-all |
AZURE_LABELER_EXPORT_ALL |
true (default) |
| Regulatory frameworks to take into account | --frameworks |
AZURE_LABELER_FRAMEWORKS |
"Azure Security Benchmark,Azure CIS 1.1.0" |
| Explicit list of subscriptions to take into account | --allowed-subscription-ids |
AZURE_LABELER_ALLOWED_SUBSCRIPTION_IDS |
"00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001" |
| Explicit list of subscriptions NOT to take into account | --denied-subscription-ids |
AZURE_LABELER_DENIED_SUBSCRIPTION_IDS |
"00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000001" |
| Level of log printing | --log-level |
AZURE_LABELER_LOG_LEVEL |
info |
| Logging configuration | --log-config |
AZURE_LABELER_LOG_CONFIG |
- |
If you are running the azureenergylabeler container in Azure (on ACI, ACA, etc), this is safest and preferred authentication method.
To make use of Managed Identity authentication for the Energy Labeler, make sure it is enabled on your instance (ACI, Function App, etc):
identity: {
type: 'SystemAssigned'
}Also make sure you have a role assignment to your instance, Security Reader is required.
@description('Security Reader role definition')
var roleDefinitionId = resourceId('microsoft.authorization/roleDefinitions', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')
@description('Assign Security Reader role to the container so it can gather security compliance of the subscription/tenant')
resource securityReaderAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(name)
scope: tenant()
properties: {
principalId: containergroup.identity.principalId
roleDefinitionId: roleDefinitionId
}
}If you are running the azureenergylabeler container outside Azure, you need to authenticate to Azure using Service Principal credentials.
The Service Principal therefore must have Security Reader permission assigned to either at Tenant Level or to the subscriptions where Energy Label are calculated.
| variable name | value |
|---|---|
AZURE_CLIENT_ID |
id of an Azure Active Directory application |
AZURE_TENANT_ID |
id of the application's Azure Active Directory tenant |
AZURE_CLIENT_SECRET |
one of the application's client secrets |
| variable name | value |
|---|---|
AZURE_CLIENT_ID |
id of an Azure Active Directory application |
AZURE_TENANT_ID |
id of the application's Azure Active Directory tenant |
AZURE_CLIENT_CERTIFICATE_PATH |
path to a PEM or PKCS12 certificate file including private key |
AZURE_CLIENT_CERTIFICATE_PASSWORD |
password of the certificate file, if any |
All container in this repository are signed and their signature can be verified against the following public key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0KAPZzcYGAtXaruQNbFiGTiy058c
OMNVzxDVRQSE6lDIB3MCayVdUcyy8b2OmJZ7TYBYLCuEAlFWxVVLMMJ7Cg==
-----END PUBLIC KEY-----Manually verification can be performed by issuing:
cosign verify --key cosign.pub <IMAGE_NAME>