Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
Vulnerability assessment for Azure, powered by Microsoft Defender Vulnerability Management, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in container images, with zero configuration for onboarding, and without deployment of any agents.
Note
This feature supports scanning of images in the Azure Container Registry (ACR) only. Images that are stored in other container registries should be imported into ACR for coverage. Learn how to import container images to a container registry.
In every subscription where this capability is enabled, all images stored in ACR that meet the criteria for scan triggers are scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in ACR as well as images that are currently running in AKS that were pulled from an ACR registry or any other Defender for Cloud supported registry (ECR, GCR, or GAR). Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every 24 hours.
Container vulnerability assessment powered by Microsoft Defender Vulnerability Management has the following capabilities:
- Scanning OS packages - container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows OS. See the full list of the supported OS and their versions.
- Language specific packages – Linux only - support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the complete list of supported languages.
- Image scanning in Azure Private Link - Azure container vulnerability assessment provides the ability to scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to allow access by trusted services.
- Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
- Reporting - Container Vulnerability Assessment for Azure powered by Microsoft Defender Vulnerability Management provides vulnerability reports using following recommendations:
These are the new recommendations that report on runtime container vulnerabilities and registry image vulnerabilities. They are currently in preview, but are intended to replace the old recommendations. These new recommendations do not count toward secure score while in preview. The scan engine for both sets of recommendations is the same.
| Recommendation | Description | Assessment Key |
|---|---|---|
| [Preview] Container images in Azure registry should have vulnerability findings resolved | Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards. | 33422d8f-ab1e-42be-bc9a-38685bb567b9 |
| [Preview] Containers running in Azure should have vulnerability findings resolved | Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards. | e9acaf48-d2cf-45a3-a6e7-3caa2ef769e0 |
These are the older recommendations that are currently on a retirement path:
| Recommendation | Description | Assessment Key |
|---|---|---|
| Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. | c0b7cfc6-3172-465a-b378-53c7ff2cc0d5 |
| Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) | Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5 |
- Query vulnerability information via the Azure Resource Graph - Ability to query vulnerability information via the Azure Resource Graph. Learn how to query recommendations via ARG.
- Query scan results via REST API - Learn how to query scan results via REST API.
- Support for exemptions - Learn how to create exemption rules for a management group, resource group, or subscription.
- Support for disabling vulnerabilities - Learn how to disable vulnerabilities on images.
Scan triggers
The triggers for an image scan are:
One-time triggering:
- Each image pushed or imported to a container registry is triggered to be scanned. In most cases, the scan is completed within a few minutes, but in rare cases it might take up to an hour.
- Each image pulled from a registry is triggered to be scanned within 24 hours.
Continuous rescan triggering – continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
- Re-scan is performed once a day for:
- Images pushed in the last 90 days.
- Images pulled in the last 30 days.
- Images currently running on the Kubernetes clusters monitored by Defender for Cloud (either via Agentless discovery for Kubernetes or the Defender sensor).
- Re-scan is performed once a day for:
How does image scanning work?
A detailed description of the scan process is described as follows:
When you enable the container vulnerability assessment for Azure powered by Microsoft Defender Vulnerability Management, you authorize Defender for Cloud to scan container images in your Azure Container registries.
Defender for Cloud automatically discovers all containers registries, repositories and images (created before or after enabling this capability).
Defender for Cloud receives notifications whenever a new image is pushed to an Azure Container Registry. The new image is then immediately added to the catalog of images Defender for Cloud maintains, and queues an action to scan the image immediately.
Once a day, and for new images pushed to a registry:
- All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.
- Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running. To determine if an image is currently running, Defender for Cloud uses both Agentless discovery for Kubernetes and inventory collected via the Defender sensor running on AKS nodes
- Vulnerability reports for registry container images are provided as a recommendation.
For customers using either Agentless discovery for Kubernetes or inventory collected via the Defender sensor running on AKS nodes, Defender for Cloud also creates a recommendation for remediating vulnerabilities for vulnerable images running on an AKS cluster. For customers using only Agentless discovery for Kubernetes, the refresh time for inventory in this recommendation is once every seven hours. Clusters that are also running the Defender sensor benefit from a two hour inventory refresh rate. Image scan results are updated based on registry scan in both cases, and are therefore only refreshed every 24 hours.
Note
For Defender for Container Registries (deprecated), images are scanned once on push, on pull, and rescanned only once a week.
If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?
Azure Container Registries notifies Defender for Cloud when images are deleted, and removes the vulnerability assessment for deleted images within one hour. In some rare cases, Defender for Cloud might not be notified on the deletion, and deletion of associated vulnerabilities in such cases might take up to three days.
Next steps
- Learn more about the Defender for Cloud Defender plans.
- Check out common questions about Defender for Containers.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for