Docker Desktop and Azure App Cloud Services

Expanded Architecture: Docker developer environment with Azure Cloud Services.

Development Environment

• Docker Desktop + Tools: Visual Studio Code, Azure CLI, Docker Scout, AI, MCP
• Docker Scout CLI: Compares image versions, detects CVEs, integrates with pipelines

Container Host (Windows Server 2025 Core)

• Hyper-V Isolated Containers: For enhanced security
• Workloads: Microservices, legacy apps, AI containers
• GitOps Operator: Automated deployment via Git repositories
• Azure Arc Agent: Connects on-prem host to Azure Control Plane

Here you find more information about Docker on Windows Server 2025 Core

Your Windows 11 Laptop with Docker Desktop

• Hyper-V / WSL2: for your containers development
• Azure Arc Agent: for your Azure Cloud Services and security
• Docker Desktop for Windows installed

Azure Cloud Integrations

Component	Function
Azure App Service (Docker)	Hosts web apps as Docker containers with autoscaling and Key Vault integration
Azure DevOps + Pipelines	CI/CD for image build, scan, push, and deployment
Azure Copilot Security	AI-driven security recommendations and policy analysis
Azure Container Registry (ACR)	Secure storage and distribution of container images
Azure Key Vault	Secrets management: API keys, passwords, certificates
Microsoft Defender for Cloud	Runtime protection, image scanning, threat detection
Azure Policy & RBAC	Governance and access control
Azure Monitor + Sentinel	Logging, metrics, threat detection
Azure Update Manager	Hotpatching of Windows and container images without reboot

More information on Strengthening Container Security with Docker Hardened Images and Azure Container Registry

DevSecOps Workflow

1. Build & Harden Image → Dockerfile + SBOM
2. Scan with Docker Scout → CLI or pipeline
3. Push to ACR → With signing and RBAC
4. Deploy via Azure DevOps Pipelines → App Service or Arc-enabled host
5. Inject Secrets via Key Vault → Automatically at runtime
6. Monitor & Patch → Azure Monitor + Update Manager
7. Audit & Alerting → Azure Sentinel + Defender
8. Security Guidance → Copilot Security analyzes policies and offers recommendations

Example of Deploying a custom container to Azure App Service with Azure Pipelines

Microsoft Azure App Service is really scalable for Docker App Solutions:

Azure App Service is designed to scale effortlessly with your application’s needs. Whether you’re hosting a simple web app or a complex containerized microservice, it offers both vertical scaling (upgrading resources like CPU and memory) and horizontal scaling (adding more instances). With built-in autoscaling, you can respond dynamically to traffic spikes, scheduled workloads, or performance thresholds—without manual intervention or downtime.

From small startups to enterprise-grade deployments, App Service adapts to demand with precision, making it a reliable platform for modern, cloud-native applications.

Scale Up Features and Capacities Learn how to increase CPU, memory, and disk space by changing the pricing tier

Enable Automatic Scaling (Scale Out) Configure autoscaling based on traffic, schedules, or resource metrics

Per-App Scaling for High-Density Hosting Scale individual apps independently within the same App Service Plan

Conclusion

For modern developers, the combination of Azure App Services and Docker Desktop offers a powerful, flexible, and scalable foundation for building, testing, and deploying cloud-native applications.

• Developers can build locally with Docker, ensuring consistency and portability.
• Then deploy seamlessly to Azure App Services, leveraging its cloud scalability and integration.
• This workflow reduces configuration drift, accelerates testing cycles, and improves team collaboration.

Docker Scout version 1.18.2

There’s a quiet moment after every deploy where you ask yourself: what actually changed? Not just the feature—you know that—but the stuff beneath it. Packages. Base images. Vulnerabilities that slipped in while you were busy shipping. Docker Scout’s CLI gives you the flashlight for that dark room. No dashboards. No detours. Just commands, signal, and the truth.

In July 2025 I wrote a blogpost about Docker Scout for Vulnerability management of Containers and remediation

Docker Scout Compare is quite significant for container security, especially in modern DevSecOps workflows. Here’s why it matters:

What Docker Scout Compare Does

• Image Comparison: It analyzes two Docker images—typically a new build vs. a production version—and highlights differences in vulnerabilities, packages, and policies.
• Security Insights: It identifies newly introduced CVEs (Common Vulnerabilities and Exposures), changes in package versions, and policy violations between image versions.
• SBOM Integration: It uses Software Bill of Materials (SBOMs) to trace dependencies and match them against vulnerability databases.

Why It’s Important for Security

• Proactive Risk Management: By comparing images before deployment, teams can catch regressions or newly introduced vulnerabilities early.
• Supply Chain Transparency: Helps track changes across the container supply chain, which is crucial for preventing issues like Log4Shell.
• CI/CD Integration: Fits seamlessly into automated pipelines, ensuring every image update is vetted for security before release.

Key Features That Boost Its Value

Feature	Benefit
Continuous vulnerability scanning	Keeps your images secure over time, not just at build time
Filtering options	Focus on critical or fixable CVEs, ignore unchanged packages, etc.
Markdown/Text reports	Easy to integrate into documentation or dashboards
Multi-stage build analysis	Understand security across complex Dockerfiles

Bottom Line

If you’re serious about container security, Docker Scout Compare isn’t just helpful—it’s becoming essential. It gives developers and security teams a clear view of what’s changing and whether those changes introduce risk.

The heart of change: compare old vs new, precisely

You built a new image. What did you add? What did you remove? What got better—or worse?
Here are some Docker scout compare CLI commands:

# Compare prod vs new build

docker scout compare –to myapp:prod myapp:sha-123

# Focus on meaningful risk changes (ignore base image CVEs)

docker scout compare –to myapp:prod myapp:sha-123 –ignore-base

# Show only high/critical that are fixable

docker scout compare –to myapp:prod myapp:sha-123 –only-severity high,critical –only-fixed

# Fail when security gets worse (perfect for CI)

docker scout compare –to myapp:prod myapp:sha-123 –exit-on vulnerability

Here you find more about Docker Scout Compare

In my case I will do a Docker Scout compare between these two images:

docker scout compare –to azure-cli-patched:latest mcr.microsoft.com/azure-cli:azurelinux3.0

Compare results between the two images.

Compare results between the two images, here you see the Fixed vulnerability differences.

Conclusion

Final Thoughts: Docker Scout Compare CLI & Security

In today’s fast-paced development landscape, security can’t be an afterthought—it must be woven into every stage of the software lifecycle. Docker Scout Compare CLI empowers teams to do just that by offering a clear, actionable view of how container images evolve and what risks they may introduce. Its ability to pinpoint new vulnerabilities, track dependency changes, and integrate seamlessly into CI/CD pipelines makes it a vital tool for modern DevSecOps.

By embracing Docker Scout Compare, organizations move from reactive patching to proactive prevention—turning container security from a bottleneck into a strategic advantage.

I have installed the latest Docker Desktop for Windows version 4.43.2

In today’s cloud-native world, container security is not a luxury—it’s a mission-critical requirement. With the release of Azure Linux 3.0, Microsoft has reinforced its dedication to performance, flexibility, and security. But no matter how polished the host OS is, containers themselves can still be riddled with vulnerabilities, bloated layers, or sneaky outdated dependencies. That’s where Docker Scout and Open Source tool Dive come into play.

Docker Scout: Intelligence at Your Fingertips

Docker Scout introduces vulnerability detection into your CI/CD pipeline. For Azure Linux 3.0 containers, this means:

• Real-Time Vulnerability Scanning: Scout analyzes your container image (including base layers) against CVE databases and flags known vulnerabilities.
• Remediation Guidance: It doesn’t just scream “VULNERABLE!”—Scout offers actionable suggestions like switching to a newer base image or updating specific packages.
• Policy Integration: You can define security policies (e.g., block images with critical CVEs) and automate enforcement in Azure DevOps or GitHub Actions.

In the following steps we will get the Microsoft Azure Linux 3.0 container and scan for security issues before we run the container.

Open Docker terminal
docker pull mcr.microsoft.com/azure-cli:azurelinux3.0

when you have pulled the image, you can do a quick scan with Docker Scout.
docker scout quickview mcr.microsoft.com/azure-cli:azurelinux3.0

docker scout cves mcr.microsoft.com/azure-cli:azurelinux3.0

Here you can see more information about the CVE’s.

Here you see the vulnerable package file and the fix for remediation.

Now we want to remediate this image with the update fix version 2.32.4 of this package. To do this, I made a directory docker fix with a dockerfile (without any extension) with the following commands :

———

# Start met Azure CLI base image op Azure Linux 3.0
FROM mcr.microsoft.com/azure-cli:azurelinux3.0

# Install Python and pip via tdnf
RUN tdnf install -y python3 python3-pip

# Upgrade pip and install
RUN python3 -m pip install –no-cache-dir –upgrade –ignore-installed pip \
&& python3 -m pip install –no-cache-dir requests==2.32.4

# Remove old files
RUN rm -f /usr/lib/az/lib/python3.12/site-packages/requests-2.32.3.dist-info/METADATA

# Verify 
RUN python3 -c “import requests; print(f’Requests versie: {requests.__version__}’)”

————-

With Open Source tool Dive you can have a look into the Docker image. This supported me because first I did only the install and upgrade of the file requests version 2.32.3 to fixed version 2.32.4. But then Docker Scout still see the vulnerability file in the image.

dive [Image]
So that’s why we remove it via the Dockerfile.

We now building a new image with this dockerfile :

docker buildx build –provenance=true –sbom=true -t azure-cli-patched:latest .

After a Docker Scout scan, there are zero vulnerabilities in the image now
and in the Container fixed version 2.32.4 is running.

Conclusion

Docker Scout represents a major leap forward in managing container security, efficiency, and reliability. By integrating seamlessly into the Docker ecosystem, it empowers developers to ship production-ready containers with confidence.

Key Benefits

• Security Insights: Automatically detects vulnerabilities, recommends fixes, and integrates with CVE databases.
• Dependency Intelligence: Tracks changes and upgrades across your software stack to ensure compatibility and stability.
• Image Comparison: Visualizes differences between builds—helping you pinpoint unintended changes and regressions.
• Team Collaboration: Enables shared visibility across development pipelines, so teams can align on image quality and release standards.

In short, Docker Scout turns container image analysis into a proactive, collaborative part of modern DevOps. Whether you’re optimizing performance or hardening against threats, Scout puts you ahead of the curve.

 

 

 

In today’s cloud-native landscape, container security is paramount. IT professionals must strike a balance between agility and security, ensuring that applications run smoothly without exposing vulnerabilities. One way to achieve this is through Docker hardened images, which enhance security by reducing attack surfaces, enforcing best practices, and integrating with Microsoft Azure Container Registry (ACR) for seamless deployment.

Why Hardened Docker Images?

A hardened Docker image is optimized for security, containing only the necessary components to run an application while removing unnecessary libraries, binaries, and configurations. This approach reduces the risk of known exploits and ensures compliance with security standards. Key benefits include:

• Reduced Attack Surface: Eliminating unnecessary components minimizes entry points for attackers.
• Improved Compliance: Meets security benchmarks like CIS, NIST, and DISA STIG.
• Enhanced Stability: Smaller images mean fewer dependencies, reducing vulnerabilities.
• Better Performance: Optimized images lead to faster deployments and lower resource consumption.

Leveraging Azure Container Registry for Secure Image Management

Microsoft Azure Container Registry (ACR) plays a critical role in securely storing, managing, and distributing hardened images. IT professionals benefit from features such as:

• Automated Image Scanning: Built-in vulnerability assessment tools like Microsoft Defender for Cloud detect security risks.
• Content Trust & Signing: Ensures only authorized images are deployed.
• Geo-replication: Enables efficient global distribution of container images.
• Private Registry Access: Provides secure authentication via Azure Active Directory.

Microsoft Azure Container Registry

Hardened Images in Azure Container Solutions

By deploying hardened images through Azure Kubernetes Service (AKS), Azure Container Apps, and Azure Functions, organizations strengthen security in cloud-native applications while leveraging Azure’s scalability and flexibility. This translates to:

• Improved Security Posture: Reducing exposure to common container-based threats.
• Streamlined Operations: Consistent, automated deployment pipelines.
• Efficient Cost Management: Optimized images lower compute and storage costs.

Strengthening Security with Docker Scout

Docker Scout is a powerful security tool designed to detect vulnerabilities in container images. It integrates seamlessly with Docker CLI, allowing IT professionals to:

• Scan Images for CVEs (Common Vulnerabilities and Exposures): Identify security risks before deployment.
• Receive Actionable Insights: Prioritized remediation recommendations based on severity.
• Automate Security Checks: Continuous monitoring ensures compliance with security standards.
• Integrate with Azure Container Registry (ACR): Scan images stored in ACR for proactive security management.

How It Works with Azure Container Solutions

By incorporating Docker Scout with Azure Container Registry (ACR), IT teams can establish a robust security workflow:

1. Build & Harden Docker Images – Optimize base images to minimize attack surfaces.
2. Scan with Docker Scout – Detect vulnerabilities in both public and private repositories.
3. Push Secure Images to ACR – Ensure only validated, hardened images are stored.
4. Deploy on Azure Container Solutions – Use AKS, Azure App Service, or Azure Functions with improved security confidence.
5. Monitor & Automate Security Updates – Continuous scanning helps maintain container integrity.

Best Practices for IT Professionals

To maximize security, IT teams should adopt the following best practices:

1. Use Minimal Base Images (Alpine, Distroless) to reduce attack surfaces.
2. Regularly Update & Scan Images to patch vulnerabilities.
3. Implement Role-Based Access Controls (RBAC) for container registries.
4. Adopt Infrastructure as Code (IaC) to enforce secure configurations.
5. Monitor & Audit Logs for anomalous activity detection.
6. Automate Docker Scout scans in CI/CD pipelines.
7. Enforce image signing & verification using Azure Key Vault.
8. Regularly update base images & dependencies to mitigate risks.
9. Apply role-based access controls (RBAC) within Azure Container Registry

Conclusion

Secure containerization starts with hardened Docker images and robust registry management. Azure Container Registry offers IT professionals the tools to maintain security while leveraging cloud efficiencies. By integrating these strategies within Azure’s ecosystem, organizations can build resilient and scalable solutions for modern workloads.
Docker Scout combined with Azure Container Registry provides IT professionals a strong security foundation for cloud-native applications. By integrating proactive vulnerability scanning into the development workflow, organizations can minimize risks while maintaining agility in container deployments.
When you work with artificial intelligence (AI) and Containers working with Model Context Protocol (MCP)
Security by Design comes first before you begin.
Here you find more information about MCP protocol via Docker documentation

 

 

Use Enhanced Container Isolation

Enhancing Security with Docker Container Isolation

In today’s digital landscape, securing applications and data is paramount. Docker container isolation plays a crucial role in ensuring that applications run securely, without interference from other containers or the host system. This blog post delves into the importance of container isolation for security purposes and compares the security features of Docker’s Hyper-V engine and WSL 2 Docker engine.

The Importance of Container Isolation

Container isolation involves creating a protective boundary around each container to prevent interference between containers and the host system. This helps maintain a secure environment and avoid potential issues. Docker provides several mechanisms to enhance container isolation, including:

• Namespaces: Isolate processes, network interfaces, and file systems.
• Control Groups (cgroups): Limit and isolate resource usage (CPU, memory, disk I/O).
• Seccomp: Restrict system calls that containers can make.
• AppArmor and SELinux: Apply mandatory access control policies.

Here you find more information about AppArmor and SELinux

These mechanisms ensure that containers operate independently, reducing the risk of security breaches.

Use Docker Scout for Security vulnerability management to keep secure Container images

Enhanced Container Isolation (ECI)

Docker’s Enhanced Container Isolation (ECI) provides an additional layer of security to prevent malicious workloads from compromising Docker Desktop or the host. ECI uses advanced techniques to harden container isolation without impacting developer productivity. These techniques include:

• Running all containers unprivileged through the Linux user-namespace.
• Ensuring Docker Desktop VM immutability.
• Vetting critical system calls to prevent container escapes.
• Partially virtualizing portions of /proc and /sys inside the container.

Docker Hyper-V Engine vs. WSL 2 Docker Engine

When it comes to running Docker on Windows, users have two main options: the Hyper-V engine and the WSL 2 Docker engine. Both have their own security implications.

Docker Hyper-V Engine:

• Isolation: Hyper-V provides strong isolation by running each container in a separate virtual machine (VM). This ensures that containers are isolated from each other and the host.
• Security: Hyper-V’s dedicated kernel for Docker Desktop ensures that the integrity of kernel-level configurations is maintained. This makes it harder for malicious workloads to breach the Docker Desktop Linux VM and host.
• User Access: Docker Desktop users cannot easily access the Docker Desktop Linux VM, preventing them from modifying Docker Engine settings inside the VM.

WSL 2 Docker Engine:

• Isolation: WSL 2 uses a lightweight Linux kernel inside a Windows VM, providing a more integrated experience with the Windows operating system.
• Security: While WSL 2 offers good isolation, it shares the same instance of the Linux kernel across all WSL 2 distributions on the same Windows host. This means that Docker Desktop cannot ensure the integrity of the kernel in the Docker Desktop Linux VM, as another WSL 2 distribution could modify shared kernel settings.
• User Access: Docker Desktop users can trivially access the Docker Desktop Linux VM with the wsl -d docker-desktop command, allowing them to bypass Docker Desktop security settings.

Conclusion

Both Docker Hyper-V and WSL 2 engines offer unique advantages and trade-offs in terms of security. Hyper-V provides stronger isolation and security by running containers in separate VMs with dedicated kernels, while WSL 2 offers a more integrated and performant experience with some security limitations. Choosing the right engine depends on your specific security requirements and use cases.

Important

Before you are going to use Docker Container Isolation in production environments, always test your Docker configurations in a Test environment first and do some experience first with your own Container scenarios.

For more detailed information, you can visit the official Docker documentation.

Enhanced Container Isolation (ECI) FAQs

Docker Scout Command Line Reference

Docker Scout is a tool designed to enhance the security of your software supply chain by analyzing your container images. It creates a detailed inventory of the components within your images, known as a Software Bill of Materials (SBOM). This SBOM is then checked against a continuously updated vulnerability database to identify any security weaknesses.

Docker Scout is versatile and can be used with Docker Desktop, Docker Hub, the Docker CLI, and the Docker Scout Dashboard. It also integrates with third-party systems like container registries and CI platforms. Essentially, it helps you proactively manage and mitigate vulnerabilities in your container images, ensuring your applications are more secure before they hit production.

Container Images in the Cloud

When you pulled the Image into Docker, you want to know is it secure before using it.
Here is Docker Scout Security in place.

With Docker Scout we will analyze the Container Image.

Scan vulnerabilities results is 0 and can be used

SBOM with 135 packages and no vulnerabilities found.

Now I can run my Kali Linux Container after Security vulnerability check with Docker Scout.

But there are also images available which have vulnerabilities in the SBOM in some of the packages because they are not up-to-date and behind patching for example. This is why Docker Scout is a very handy security tool to keep your images secure and warn you if security remediation is needed. So don’t pull and run container images fast because you are in a hurry, first check your container image with Docker Scout!

This Container is also pulled from the Cloud and has vulnerabilities because software packages are not up-to-date in the Container image.

Important vulnerabilities found by Docker Scout analyzer!
Click on View Packages and CVEs

The vulnerabilities in this Container image.
You can go deeper into the CVEs.

Here you see the links to the CVEs

Here you see the Fix version of the vulnerability

Click on the CVE-2024-5535 link for more info.

Remediation with Docker Scout is currently in Beta at the moment when I’m writing this blogpost. Here you find more information on docker docs

 

Conclusion

I always say Security by Design. Docker Scout supports you to keep your Container images as secure as possible before your containers are in a running state.
Keep your images in your Cloud registries up-to-date and clean from vulnerabilities in your packages (SBOM). I really like how docker is improving the product in a secure way with Docker Scout and make it easy to understand for DevOps, developers and security people to keep compliance in place and why it’s important not to run public images right away from the Cloud because of the risks.  Here you find more information about Docker Scout:

Docker Scout documentation

Docker Scout integration with other Systems or Container repositories

Get started with Policy Evaluation in Docker Scout

Docker Scout Demo and Q&A