Vulnerability assessments for supported environments
Defender for Containers performs agentless vulnerability assessment on container images in supported runtime environments and supported container registries. Relevant recommendations are generated for vulnerabilities detected in a container registry image or running container.
Vulnerability assessment of images in supported container registries is performed when Registry access is enabled for the Defender for Cloud Security Posture Management or Defender for Containers plans.
Vulnerability assessment of running container images is performed agnostic of the originating container registry, when the Agentless scanning for machines extension together with either the K8S API access or Defender sensor extensions are enabled in the Defender for Cloud Security Posture Management or the Defender for Containers plans. Vulnerability assessment findings are also created for container images pulled from supported registries.
Note
Review the Defender for Containers support matrix for supported environments.
Vulnerability assessment of container images, powered by Microsoft Defender Vulnerability Management, has the following capabilities:
Scanning OS packages - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows OS. See the full list of the supported OS and their versions.
Language specific packages – Linux only - support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the complete list of supported languages.
Image scanning in Azure Private Link - Azure container vulnerability assessment can scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to allow access by trusted services.
Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
Reporting - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
Reporting - Container Vulnerability Assessment powered by Microsoft Defender Vulnerability Management provides vulnerability reports using the following recommendations:
Query vulnerability information via the Azure Resource Graph - Ability to query vulnerability information via the Azure Resource Graph. Learn how to query recommendations via ARG.
Query scan results via REST API - Learn how to query scan results via the REST API.
Support for exemptions - Learn how to create exemption rules for a management group, resource group, or subscription.
Support for disabling vulnerabilities - Learn how to disable vulnerabilities on images.
Vulnerability findings artifact signing and verification - Each image's vulnerability findings artifact is signed with a Microsoft certificate for integrity and authenticity and is associated with the container image in the registry for validation needs.
Vulnerability assessment recommendations
The following new preview recommendations report on runtime container vulnerabilities and registry image vulnerabilities, and don't count toward secure score while in preview. The scan engine for the new recommendations is the same as the current GA recommendations, and provides the same findings. The new recommendations are best suited for customers that use the new risk-based view for recommendations and have the Defender CSPM plan enabled.
| Recommendation | Description | Assessment Key |
|---|---|---|
| [Preview] Container images in Azure registry should have vulnerability findings resolved | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 |
| [Preview] Containers running in Azure should have vulnerability findings resolved | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | c5045ea3-afc6-4006-ab8f-86c8574dbf3d |
The following current GA recommendations report on vulnerabilities in containers within a Kubernetes cluster, and on container images within a container registry. These recommendations are best suited for customers that use the classic view for recommendations and don't have Defender CSPM plan enabled.
| Recommendation | Description | Assessment Key |
|---|---|---|
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
How Vulnerability Assessment for Images and Containers Works
Scanning images in Defender for Containers supported registries
Note
The Registry access extension must be enabled for vulnerability assessment of images in container registries.
The scan of an image in a container registry creates an inventory of the image and its vulnerability recommendations. The supported container image registries are: Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), Google Container Registry (GCR), and configured external registries. An image is scanned when:
- A new image is pushed or imported to the container registry. The image is scanned within a few hours.
- Continuous re-scan triggering – continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
Re-scan is performed once a day for:
- Images pushed in the last 90 days.*
- Images pulled in the last 30 days.
- Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via Agentless discovery for Kubernetes or the Defender sensor).
* The new preview recommendation is generated for images pushed in the last 30 days.
Note
For Defender for Container Registries (deprecated), images are scanned once on push, on pull, and rescanned only once a week.
Scanning containers running in the cluster workload
The container images in the cluster workload are scanned as follows:
- Vulnerable images scanned in supported registries are identified as running on the cluster by discovery process. Running container images are scanned every 24 hours. Registry Access and either Kubernetes API access or Defender sensor must be enabled.
- Container images are collected from the runtime environment and scanned for vulnerabilities, agnostic to the originating registry. The scan includes customer owned containers, Kubernetes add-ons, and third party tools running on the cluster. Runtime environment images are collected every 24 hours. Agentless scanning for machines either Kubernetes API access or Defender sensor must be enabled.
Note
- The container runtime layer can't be scanned for vulnerabilities.
- Container images from nodes using AKS Ephemeral OS disks or Windows nodes can't be scanned for vulnerabilities.
- Autoscale configured AKS clusters may provide partial or no results if any or all of the cluster nodes are down at the time of scan.
If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?
Azure Container Registries notifies Defender for Cloud when images are deleted, and removes the vulnerability assessment for deleted images within one hour. In some rare cases, Defender for Cloud might not be notified on the deletion, and deletion of associated vulnerabilities in such cases might take up to three days.
Next steps
- Learn more about the Defender for Cloud Defender plans.
- Check out common questions about Defender for Containers.