Vulnerability assessments for GCP with Microsoft Defender Vulnerability Management

Vulnerability assessment for GCP, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any sensors.

In every account where enablement of this capability is completed, all images stored in Google Registries (GAR and GCR) that meet the criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in Google Registries (GAR and GCR), images that are currently running in GKE that were pulled from Google Registries (GAR and GCR) or any other Defender for Cloud supported registry (ACR or ECR). Images are scanned shortly after being added to a registry, and re-scanned at the interval set in the GCP connector.

Container vulnerability assessment powered by Microsoft Defender Vulnerability Management has the following capabilities:

  • Scanning OS packages - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows operating systems. See the full list of the supported OS and their versions.

  • Language specific packagesLinux only - support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the complete list of supported languages.

  • Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.

  • Reporting - Container Vulnerability Assessment for GCP powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:

These are the new preview recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. These new recommendations do not count toward secure score while in preview. The scan engine for those new recommendations is the same as the current GA recommendations, and provides the same findings. These recommendations would be best suited for customers that use the new risk-based view for recommendations and have the Defender CSPM plan enabled..

Recommendation Description Assessment Key
[Preview] Container images in GCP registry should have vulnerability findings resolved Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. 24e37609-dcf5-4a3b-b2b0-b7d76f2e4e04
[Preview] Containers running in GCP should have vulnerability findings resolved Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. 1b3abfa4-9e53-46f1-9627-51f2957f8bba

These current GA recommendations report on vulnerabilities in containers contained within a Kubernetes cluster, and on container images contained within a container registry. These recommendations would be best suited for customers that use the classic view for recommendations and do not have Defender CSPM plan enabled.

Recommendation Description Assessment Key
GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. c27441ae-775c-45be-8ffa-655de37362ce
GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) - Microsoft Azure Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. 5cc3a2c1-8397-456f-8792-fe9d0d4c9145

Scan triggers

The triggers for an image scan are:

  • One-time triggering:

    • Each image pushed to a container registry is triggered to be scanned. In most cases, the scan is completed within a few hours, but in rare cases it might take up to 24 hours.
    • Each image pulled from a registry is triggered to be scanned within 24 hours.
  • Continuous rescan triggering – continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.

    • Re-scan is performed once a day for:

How does image scanning work?

A detailed description of the scan process is described as follows:

Note

For Defender for Container Registries (deprecated), images are scanned once on push, on pull, and rescanned only once a week.

If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?

It takes 30 hours after an image is deleted from Google Registries (GAR and GCR) before the reports are removed.

Next steps