Use Azure Defender for container registries to scan your images for vulnerabilities
This page explains how to use the built-in vulnerability scanner to scan the container images stored in your Azure Resource Manager-based Azure Container Registry.
When Azure Defender for container registries is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.
When the scanner reports vulnerabilities to Security Center, Security Center presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
Availability
| Aspect | Details |
|---|---|
| Release state: | Generally available (GA) |
| Pricing: | Azure Defender for container registries is billed as shown on the pricing page |
| Supported registries and images: | Linux images in ACR registries accessible from the public internet with shell access |
| Unsupported registries and images: | Windows images 'Private' registries Registries with access limited with a firewall, service endpoint, or private endpoints such as Azure Private Link Super-minimalist images such as Docker scratch images, or "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS |
| Required roles and permissions: | Security reader and Azure Container Registry roles and permissions |
| Clouds: | 
Commercial clouds
US Gov and China Gov - Only the scan on push feature is currently supported. Learn more in When are images scanned? |
Identify vulnerabilities in images in Azure container registries
To enable vulnerability scans of images stored in your Azure Resource Manager-based Azure Container Registry:
Enable Azure Defender for container registries for your subscription. Security Center is now ready to scan images in your registries.
Note
This feature is charged per image.
Image scans are triggered on every push or import, and if the image has been pulled within the last 30 days.
When the scan completes (typically after approximately 2 minutes, but can be up to 15 minutes), findings are available as Security Center recommendations.
Identify vulnerabilities in images in other container registries
Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by Azure Defender.
Learn more in Import container images to a container registry
When the scan completes (typically after approximately 2 minutes, but can be up to 15 minutes), findings are available as Security Center recommendations.
View and remediate findings
To view the findings, go to the Recommendations page. If issues were found, you'll see the recommendation Vulnerabilities in Azure Container Registry images should be remediated
Select the recommendation.
The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.
Select a specific registry to see the repositories within it that have vulnerable repositories.
The registry details page opens with the list of affected repositories.
Select a specific repository to see the repositories within it that have vulnerable images.
The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.
Select a specific image to see the vulnerabilities.
The list of findings for the selected image opens.
To learn more about a finding, select the finding.
The findings details pane opens.
This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.
Follow the steps in the remediation section of this pane.
When you have taken the steps required to remediate the security issue, replace the image in your registry:
Push the updated image. This will trigger a scan.
Check the recommendations page for the recommendation "Vulnerabilities in Azure Container Registry images should be remediated".
If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.
When you are sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.
Disable specific findings (preview)
Note
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.
When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios include:
- Disable findings with severity below medium
- Disable findings that are non-patchable
- Disable findings with CVSS score below 6.5
- Disable findings with specific text in the security check or category (for example, “RedHat”, “CentOS Security Update for sudo”)
Important
To create a rule, you need permissions to edit a policy in Azure Policy.
Learn more in Azure RBAC permissions in Azure Policy.
You can use any of the following criteria:
- Finding ID
- Category
- Security check
- CVSS v3 scores
- Severity
- Patchable status
To create a rule:
From the recommendations detail page for Vulnerabilities in Azure Container Registry images should be remediated, select Disable rule.
Select the relevant scope.
Define your criteria.
Select Apply rule.
To view, override, or delete a rule:
- Select Disable rule.
- From the scope list, subscriptions with active rules show as Rule applied.
- To view or delete the rule, select the ellipsis menu ("...").