Skip to content

ACR Inventory - Query Registry Image Inventory via Azure Resource Graph (ARG) #882

Open
Open
ACR Inventory - Query Registry Image Inventory via Azure Resource Graph (ARG)#882
Assignees
johnsonshiyizha1
Labels
feature-aks-integrationIssues realted to integration with AKSfeature-artifact-discoveryIssues related to artifact discovery and catalogfeature-requestIssues that request new featuresfeature-vuln-managementIssues related to vulnerability management of artifactsroadmapFeatures and asks that should show up on the public roadmaptriagedUse after the issue is triaged

Description

@johnsonshi
johnsonshi
opened on May 6, 2026

Overview

Description

This roadmap item tracks ACR's work to enable customers to query their container registry image inventory via Azure Resource Graph (ARG) and receive notifications about inventory changes via Azure Resource Notifications (ARN).

Context

Today, customers who want to query their registry's image inventory must use ACR's Data Plane APIs (e.g., listing repositories, listing tags, getting manifests). For customers with large registries or multiple registries across subscriptions, this requires making many individual API calls and correlating the results themselves.

Problem Statement

Currently:

  • There is no way to query ACR data plane image inventory through the Azure Resource Graph.
  • Customers cannot use familiar Azure governance tools (Azure Policy, ARG queries) to audit or monitor their container image inventory across registries and subscriptions.
  • There is no notification mechanism for inventory changes (e.g., new image pushed, image deleted) through Azure Resource Notifications.
  • Security and compliance teams cannot easily build cross-registry inventory views using standard Azure tooling.

Proposal

ACR will onboard registry image inventory data to Azure Resource Graph (ARG) and Azure Resource Notifications (ARN). This will allow customers to:

  • Query their image inventory across multiple registries and subscriptions using ARG queries (KQL).
  • Set up notifications for inventory changes (push, delete) via ARN.
  • Use Azure Policy and other governance tools to audit and enforce policies on their container image inventory.
  • Build cross-registry dashboards and compliance reports using standard Azure tooling.

Use Case

  • Security teams can query all container images across all registries in a subscription to audit for vulnerabilities or compliance.
  • Platform teams can build dashboards showing image inventory across multiple registries.
  • Governance workflows can use Azure Policy to enforce rules on container images (e.g., require signed images, disallow certain base images).
  • Automation workflows can subscribe to ARN events to trigger pipelines when new images are pushed.

Milestones

⏳ Private Preview

  • Private Preview available for customers to request access

⏳ Public Preview

  • Public Preview rollout in public regions
  • Public docs on MS Learn

⏳ GA

  • General Availability

Status

Committed — follow this issue for milestone updates and preview availability.

Metadata

Metadata

Assignees

Labels

feature-aks-integrationIssues realted to integration with AKSfeature-artifact-discoveryIssues related to artifact discovery and catalogfeature-requestIssues that request new featuresfeature-vuln-managementIssues related to vulnerability management of artifactsroadmapFeatures and asks that should show up on the public roadmaptriagedUse after the issue is triaged

Type

No type

Fields

No fields configured for issues without a type.

Projects

Cloud Native Security & Registries Roadmap (Public)
Status
In Progress (Development)

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions