> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Scanning Images from Azure ACR

> Configure RAD Security to scan container images from Azure Container Registry

RAD Security produces a comprehensive SBOM (Software Bill of Materials) for your container images compiled within your cluster infrastructure. The `rad-sbom` plugin downloads images from registry APIs and requires authentication for private repositories.

Using `imagePullSecrets` isn't optimal security-wise, so managed identity authentication is recommended for Azure ACR integration.

## Prerequisites

* Azure CLI
* Helm CLI

## Configuration Steps

### 1. Login to Azure CLI

```bash theme={null}
az login
```

### 2. Verify Cluster Configuration

Ensure the cluster has `oidcIssuerProfile` and `workloadIdentity` enabled:

```bash theme={null}
az aks show -g <resource-group> -n <cluster-name>
```

### 3. Create rad-sbom Identity

```bash theme={null}
export RG=<resource-group>
export CLUSTER_NAME=<cluster-name>
export LOC=<location>

export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RG --query "oidcIssuerProfile.issuerUrl" -otsv)"

az identity create --name rad-sbom -g $RG --location $LOC
```

### 4. Get Client ID

```bash theme={null}
az identity show -g $RG --name rad-sbom --query 'clientId' -o tsv
```

### 5. Assign AcrPull Role

```bash theme={null}
export RG=<resource-group>
export ACR_NAME=<acr-name>
export SUBSCRIPTION_ID=<subscription-id>
export RAD_SBOM_CLIENT_ID=<rad-sbom-identity-client-id>

az role assignment create --assignee $RAD_SBOM_CLIENT_ID --role "AcrPull" --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.ContainerRegistry/registries/$ACR_NAME"
```

### 6. Federate Identity

```bash theme={null}
export RG=<resource-group>
export CLUSTER_NAME=<cluster-name>
export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RG --query "oidcIssuerProfile.issuerUrl" -otsv)"
export NAMESPACE=<namespace>

az identity federated-credential create \
  --name rad-sbom-to-${CLUSTER_NAME} \
  --identity-name rad-sbom \
  --resource-group $RG \
  --issuer ${AKS_OIDC_ISSUER} \
  --subject system:serviceaccount:${NAMESPACE}:rad-sbom
```

### 7. Install rad-plugins

Add the following to your `values.yaml`:

```yaml theme={null}
rad:
  apiUrl: "https://api.rad.security"
  base64AccessKeyId: "<rad-access-key-id>"
  base64SecretKey: "<rad-secret-key>"
  clusterName: "<cluster-name>"
  azureWorkloadIdentityClientId: "<identity-client-id>"
```

Continue installation per the [ArtifactHub documentation](https://artifacthub.io/packages/helm/rad/rad-plugins).