ImageScanSummaryAssessmentGate.ps1 no longer finds assessments

[killnine]

Describe the bug
The container image scan vulnerability assessment script no longer seems to be working. I don't know if there was a schema change or API change on the Graph but it never finds results, even if they do actually appear in Defender for Cloud UI dashboard.

To Reproduce
Steps to reproduce the behavior:

1. Login to Azure CR via `az acr login -n ''
2. Navigate to the ps1 script
3. Execute the ps1 script:

.\ImageScanSummaryAssessmentGate.ps1 -registryName "<companyregistry_without_cr.io_suffix>" -repository "<apprepository>" -tag 932

5. See error:

Image Digest: sha256:4a3e5843...snip...2063
Query: securityresources
 | where type == 'microsoft.security/assessments/subassessments'
 | where id matches regex  '(.+?)/providers/Microsoft.ContainerRegistry/registries/(.+)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
 | extend registryResourceId = tostring(split(id, '/providers/Microsoft.Security/assessments/')[0])
 | extend registryResourceName = tostring(split(registryResourceId, '/providers/Microsoft.ContainerRegistry/registries/')[1])
 | extend imageDigest = tostring(properties.additionalData.imageDigest)
 | extend repository = tostring(properties.additionalData.repositoryName)
 | extend patchable = tobool(properties.additionalData.patchable)
 | extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
 | summarize findingsCountOverAll = count(), scanFindingSeverityCount = countif(patchable or not(tobool(False))) by scanFindingSeverity, scanStatus, registryResourceId, registryResourceName, repository, imageDigest
 | summarize findingsCountOverAll = sum(findingsCountOverAll), severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryResourceName, repository, imageDigest, scanStatus
 | summarize findingsCountOverAll = sum(findingsCountOverAll) , scanReport = make_bag_if(pack('scanStatus', scanStatus, 'scanSummary', severitySummary), scanStatus != 'NotApplicable')by registryResourceId, registryResourceName, repository, imageDigest
 | extend IsScanned = iif(findingsCountOverAll > 0, true, false)
| where imageDigest =~ 'sha256:4a3e5843...snip...2063' and repository =~ '<apprepository>' and registryResourceName =~ '<companyregistry_without_cr.io_suffix>'

No results for image <apprepository>:932 yet ...
No results for image <apprepository>:932 yet ...
Write-Error: No results were found for digest: sha256:4a3e5843...snip...2063 after 3 retries!

Expected behavior
Historically, this script has executed locally just fine for me.

Additional context
This script is integrated into my AzDO pipeline and it halts pushes to Development environments if it does not pass. It's pretty slow already, requiring a 5 minute waiting period on the previous step, but now that it's not even finding results, it's even more frustrating.

[killnine]

I did see this in the past when I inadvertently included azurecr.io to my registry name. The script gives a log message saying it scrubs it from the input, but I don't think that's accurate and only once I set the registry to the name without the suffix did it finally work. It was tricky to find this issue because it was running on a build pipeline with injected envrionment vars for the registry and repo names. But running locally I was able to troubleshoot.

Now it just stopped working entirely.

[killnine]

@wtomw is this kinda a "YMMV" sorta script or something Microsoft officially supports? Or is there some other tooling that would make it easier to tap into Defender results for new images?

[applefacts]

@killnine I don't think it's supported anymore, but check this: https://learn.microsoft.com/en-us/azure/defender-for-cloud/transition-to-defender-vulnerability-management the assessment keys are different with Defender now