Vulnerability assessments for supported environments
In supported environment (Azure, AWS, or GCP), Defender for Containers can perform agentless vulnerability assessment on images in a supported container registry and on running containers. Relevant recommendations are generated for vulnerabilities detected in a container registry image or running container.
Vulnerability assessment of images in supported container registries is performed when Registry access is enabled for the Defender for Cloud Security Posture Management or Defender for Containers plans. Vulnerability assessment of running containers is performed when Agentless scanning for machines is enabled in the Defender for Cloud Security Posture Management or Defender for Containers plans, regardless of the source of the container image. Vulnerability assessment for running containers provides more value compared to only scanning images in supported container registries, as it also includes Kubernetes add-ons and 3rd party tools running in the cluster.
Note
Containers created from images in unsupported registries are only scanned for vulnerability assessments if running within the AKS environment.
Vulnerability assessment of container images, powered by Microsoft Defender Vulnerability Management, has the following capabilities:
Scanning OS packages - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows OS. See the full list of the supported OS and their versions.
Language specific packages – Linux only - support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the complete list of supported languages.
Image scanning in Azure Private Link - Azure container vulnerability assessment can scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to allow access by trusted services.
Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
Reporting - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
Reporting - Container Vulnerability Assessment powered by Microsoft Defender Vulnerability Management provides vulnerability reports using the following recommendations:
Query vulnerability information via the Azure Resource Graph - Ability to query vulnerability information via the Azure Resource Graph. Learn how to query recommendations via ARG.
Query scan results via REST API - Learn how to query scan results via the REST API.
Support for exemptions - Learn how to create exemption rules for a management group, resource group, or subscription.
Support for disabling vulnerabilities - Learn how to disable vulnerabilities on images.
Vulnerability assessment recommendations
The following new preview recommendations report on runtime container vulnerabilities and registry image vulnerabilities, and don't count toward secure score while in preview. The scan engine for the new recommendations is the same as the current GA recommendations, and provides the same findings. The new recommendations are best suited for customers that use the new risk-based view for recommendations and have the Defender CSPM plan enabled.
| Recommendation | Description | Assessment Key |
|---|---|---|
| [Preview] Container images in Azure registry should have vulnerability findings resolved | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 |
| [Preview] Containers running in Azure should have vulnerability findings resolved | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | c5045ea3-afc6-4006-ab8f-86c8574dbf3d |
The following current GA recommendations report on vulnerabilities in containers within a Kubernetes cluster, and on container images within a container registry. These recommendations are best suited for customers that use the classic view for recommendations and do not have Defender CSPM plan enabled.
| Recommendation | Description | Assessment Key |
|---|---|---|
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
How Vulnerability Assessment for Images and Containers Works
Scanning images in Defender for Containers supported registries
Note
The Registry access extension must be enabled for vulnerability assessment of images in container registries.
The scan of an image in a container registry creates an inventory of the image and its vulnerability recommendations. The supported container image registries are: Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), Google Container Registry (GCR), and configured external registries. An image is scanned when:
- A new image is pushed or imported to the container registry. The image is scanned within a few hours.
- Continuous re-scan triggering – continuous re-scan is required to ensure images that have been previously scanned for vulnerabilities are re-scanned to update their vulnerability reports in case a new vulnerability is published.
Re-scan is performed once a day for:
- Images pushed in the last 90 days.*
- Images pulled in the last 30 days.
- Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via Agentless discovery for Kubernetes or the Defender sensor).
* The new preview recommendation is generated for images pushed in the last 30 days.
Frequency of image scans
An image is scanned within 24 hours when it is pulled from the container registry.
Note
In some rare cases, a new image in the registry might take up to 24 hours before scanning.
In addition, the following images are scanned every 24 hours to update their vulnerability recommendations, in the event a new vulnerability is published.
An image is pushed or imported to the container registry in the last 90 days.
An image is pulled from the container registry in the last 30 days.
Note
For Defender for Container Registries (deprecated), images are scanned once on push, on pull, and rescanned only once a week.
Scanning containers running in the cluster workload
Containers running in the cluster workload are scanned for vulnerabilities every 24 hours. The scan is agnostic to the running container image's source registry and includes Kubernetes add-ons and third party tools. The relevant recommendations are generated for each vulnerable container.
Note
Agentless scanning for running containers is performed when both the following extensions are enabled:
- Agentless machine scanning
- K8S API access or Defender sensor
Note
Containers created using images from unsupported container registries will only be scanned if running within the AKS environment.
Recommendations for a running container using an image from a supported container registry, are generated from the container registry image scan, even if a customer doesn't enable Agentless machine scanning.
Note
The container runtime layer can't be scanned for vulnerabilities. In addition, the following containers can't be scanned for vulnerabilities:
- Containers in nodes using AKS Ephemeral OS disks
- Auto-scale configured AKS clusters may provide only partial results.
- Windows OS containers
If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?
Azure Container Registries notifies Defender for Cloud when images are deleted, and removes the vulnerability assessment for deleted images within one hour. In some rare cases, Defender for Cloud might not be notified on the deletion, and deletion of associated vulnerabilities in such cases might take up to three days.
Next steps
- Learn more about the Defender for Cloud Defender plans.
- Check out common questions about Defender for Containers.