Identify vulnerable container images in your CI/CD workflows

This page explains how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they're built as part of your GitHub workflows.

To set up the scanner, you'll need to enable Microsoft Defender for container registries and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results.

The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys. Defender for Cloud's CI/CD scanning is powered by Aqua Trivy.

You’ll get traceability information such as the GitHub workflow and the GitHub run URL, to help identify the workflows that are resulting in vulnerable images.


The vulnerabilities identified in a scan of your registry might differ from the findings of your CI/CD scans. One reason for these differences is that the registry scanning is continuous, whereas the CI/CD scanning happens immediately before the workflow pushes the image into the registry.


Aspect Details
Release state: This CI/CD integration is in preview.
We recommend that you experiment with it on non-production workflows only.
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Microsoft Defender for container registries is billed as shown on the pricing page
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)


To scan your images as they're pushed by CI/CD workflows into your registries, you must have Microsoft Defender for container registries enabled on the subscription.

Set up vulnerability scanning of your CI/CD workflows

To enable vulnerability scans of images in your GitHub workflows:

Step 1. Enable the CI/CD integration in Defender for Cloud

Step 2. Add the necessary lines to your GitHub workflow

Step 1. Enable the CI/CD integration in Defender for Cloud

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the relevant subscription.

  3. From the sidebar of the settings page for that subscription, select Integrations.

  4. In the pane that appears, select an Application Insights account to push the CI/CD scan results from your workflow.

  5. Copy the authentication token and connection string into your GitHub workflow.

    Enable the CI/CD integration for vulnerability scans of container images in your GitHub workflows.


    The authentication token and connection string are used to correlate the ingested security telemetry with resources in the subscription. If you use invalid values for these parameters, it'll lead to dropped telemetry.

Step 2. Add the necessary lines to your GitHub workflow and perform a scan

  1. From your GitHub workflow, enable CI/CD scanning as follows:


    We recommend creating two secrets in your repository to reference in your YAML file as shown below. The secrets can be named according to your own naming conventions. In this example, the secrets are referenced as AZ_APPINSIGHTS_CONNECTION_STRING and AZ_SUBSCRIPTION_TOKEN.


    The push to the registry must happen prior to the results being published.

    - name: Build and Tag Image
      run: |
        echo "github.sha=$GITHUB_SHA"
        docker build -t${{ github.sha }} .
    - uses: Azure/container-scan@v0 
      name: Scan image for vulnerabilities
      id: container-scan
      continue-on-error: true
        image-name:${{ github.sha }} 
    - name: Push Docker image 
      run: |
        docker push${{ github.sha }}
    - name: Post logs to appinsights
      uses: Azure/publish-security-assessments@v0
        scan-results-path: ${{ steps.container-scan.outputs.scan-report-path }}
        connection-string: ${{ secrets.AZ_APPINSIGHTS_CONNECTION_STRING }}
        subscription-token: ${{ secrets.AZ_SUBSCRIPTION_TOKEN }} 
  2. Run the workflow that will push the image to the selected container registry. Once the image is pushed into the registry, a scan of the registry runs and you can view the CI/CD scan results along with the registry scan results within Microsoft Defender for Cloud. Running the above YAML file will install an instance of Aqua Security's Trivy in your build system. Trivy is licensed under the Apache 2.0 License and has dependencies on data feeds, many of which contain their own terms of use.

  3. View CI/CD scan results.

View CI/CD scan results

  1. To view the findings, open the Recommendations page. If issues were found, you'll see the recommendation Container registry images should have vulnerability findings resolved (powered by Qualys).

    Recommendation to remediate issues .

  2. Select the recommendation.

    The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

  3. Open the affected resources list and select an unhealthy registry to see the repositories within it that have vulnerable images.

    Select an unhealthy registry.

    The registry details page opens with the list of affected repositories.

  4. Select a specific repository to see the repositories within it that have vulnerable images.

    Select an unhealthy repository.

    The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

  5. Select a specific image to see the vulnerabilities.

    Select an unhealthy image.

    The list of findings for the selected image opens.

    Image scan results.

  6. To learn more about which GitHub workflow is pushing these vulnerable images, select the information bubble:

    CI/CD findings about specific GitHub branches and commits.

Next steps

Learn more about the advanced protection plans of Microsoft Defender for Cloud.