Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The AKS Vulnerability Data API gives you programmatic, read-only access to Common Vulnerabilities and Exposures (CVEs) detected in AKS-managed platform components. It's intended for security teams, compliance teams, and platform owners who need authoritative information about vulnerabilities in AKS-managed components, including which AKS release contains the patch for each CVE. For a conceptual overview of how these components are structured and updated, see AKS component versioning.
This overview article explains the purpose of the AKS Vulnerability Data API, the types of CVE data it exposes, and how you can use it understand the security posture of AKS-managed components over time.
Note
This API doesn't provide a cluster-specific view of vulnerabilities. It tracks CVEs against AKS releases, Kubernetes versions, and node images, and identifies the AKS release that contains the patch for each CVE. Because of planned maintenance windows and the phased rollout of AKS releases, different clusters can be on different AKS releases at any given time.
AKS Vulnerability Data API structure
The API surfaces vulnerability data organized by three AKS component categories:
- AKS platform releases: CVEs that affect a specific AKS release version and the AKS release that contains the patch for each CVE. This covers the Kubernetes control plane components and the container images for AKS-managed features, add-ons, and extensions tied to that release.
- Kubernetes versions: CVEs that affect Kubernetes component images and the container images for AKS-managed features, add-ons, and extensions associated with a specific Kubernetes version.
- Node images (Virtual Hard Disks or VHDs): CVEs that affect operating system (OS) packages and cached container images included in a specific AKS node image.
The data is generated from pre-scanned, validated reports and reflects the security posture of AKS-managed components at specific release points in time.
Important
The AKS Vulnerability Data API is informational only and reports vulnerabilities identified in AKS-managed artifacts, not vulnerabilities present in customer-managed workloads.
The API doesn't:
- Scan customer clusters
- Analyze runtime exposure
- Determine whether a CVE is exploitable in your environment. Exploitability depends on workload behavior, network exposure, and access controls that the API has no visibility into.
- Indicate whether a patched AKS release has rolled out to a specific cluster. Patch availability on a given cluster depends on the cluster's current AKS release, region rollout phase, and planned maintenance windows.
For vulnerability assessment of running clusters and customer workloads, use tools such as Microsoft Defender for Containers or third-party container security scanners.
You can use the vulnerability data to identify which AKS releases include patches for specific CVEs, and then check whether those releases are pending on your clusters due to planned maintenance windows.
Access the API
You can access the AKS Vulnerability Data API using one of the following methods:
- REST API base URL: https://cve-api.prod-aks.azure.com
- Interactive viewer: https://cve-api.prod-aks.azure.com/viewer/index.html
All endpoints are publicly accessible and read-only. They don't expose customer-specific information. Use the interactive viewer for ad-hoc exploration and manual review. Use the REST API for automation, reporting, and large-scale analysis.
How to interpret CVE data
The AKS Vulnerability Data API reports CVEs detected in AKS-managed artifacts at specific points in time. Each CVE in a report is classified as either active or mitigated:
- Active CVEs indicate vulnerabilities that were detected in the referenced AKS artifact version at the time the report was generated.
- Mitigated CVEs indicate vulnerabilities that were detected in a previous version of the referenced AKS artifact but are no longer present in the current version, typically because the affected component or OS package was upgraded.
Choose the right experience
AKS vulnerability information is available through multiple experiences depending on the scope of the task:
| Scope | Recommended experience |
|---|---|
| One-off CVE lookup or ad-hoc investigation | Use the AKS CVE status and security bulletins or the interactive viewer. |
| Cluster-specific CVE analysis without a vulnerability scanner | Correlate the data from this API with the AKS-managed component versions running on your cluster. You can discover the component versions deployed in your cluster using AKS Component Insights. |
| Large-scale CVE analysis or automation | For scenarios where you need to process hundreds or thousands of CVEs reported by a security scanner, use the AKS Vulnerability Data API directly. This allows you to programmatically retrieve vulnerability reports for the AKS artifacts you are running, compare scanner-reported CVEs with the CVEs present in those artifact reports, and identify which CVEs are remediated in newer AKS releases, Kubernetes versions, or node images. |
For guidance on how to use the API for bulk analysis, correlation workflows, and automation scenarios, see Use the Azure Kubernetes Service (AKS) Vulnerability Data API.
Common use cases
The following sections outline common scenarios where the AKS Vulnerability Data API can be used to support security and compliance activities, including auditing CVEs for AKS releases, identifying mitigated CVEs between releases, reviewing CVEs for Kubernetes versions, and assessing node image vulnerabilities.
Audit CVEs for an AKS release
Retrieve vulnerability data for a specific AKS platform release to review CVEs fixed in AKS-managed system components.
Identify CVEs mitigated between AKS releases
AKS release reports include delta information that indicates which CVEs were mitigated compared to the previous release. Review the AKS Release Tracker to determine when an in-progress release reaches your region, and confirm that your maintenance window allows the upgrade.
Review CVEs for a Kubernetes version
Retrieve vulnerability information for a specific Kubernetes version, including CVEs affecting:
- Kubernetes component images.
- AKS-managed features, add-ons, and extensions associated with that version.
This is useful when evaluating Kubernetes upgrades or comparing vulnerability posture across supported versions. Review the AKS Release Tracker to determine when a Kubernetes version reaches your region, and confirm that your maintenance window allows the upgrade.
Review node image (VHD) vulnerabilities
Node image reports provide visibility into vulnerabilities affecting:
- OS packages included in the node image.
- Container images cached in the node image.
This information is useful when planning node image upgrades. Review the AKS Release Tracker to determine when a VHD version reaches your region, and confirm that your maintenance window allows the upgrade.
Related content
- For detailed endpoint documentation, request formats, response schemas, and examples, see Use the Azure Kubernetes Service (AKS) Vulnerability Data API.
- For workload and runtime vulnerability assessment, continue using Microsoft Defender for Containers or third-party scanners.