Vulnerability assessments for supported environments
Article
In supported environment (Azure, AWS, or GCP), Defender for Containers can perform agentless vulnerability assessment on images in a supported container registry and on running containers. Relevant recommendations are generated for vulnerabilities detected in a container registry image or running container.
Vulnerability assessment of images in supported container registries is performed when Registry access is enabled for the Defender for Cloud Security Posture Management or Defender for Containers plans. Vulnerability assessment of running containers is performed when Agentless scanning for machines is enabled in the Defender for Cloud Security Posture Management or Defender for Containers plans, regardless of the source of the container image. Vulnerability assessment for running containers provides more value compared to only scanning images in supported container registries, as it also includes Kubernetes add-ons and 3rd party tools running in the cluster.
Note
Containers created from images in unsupported registries are only scanned for vulnerability assessments if running within the AKS environment.
Vulnerability assessment of container images, powered by Microsoft Defender Vulnerability Management, has the following capabilities:
Scanning OS packages - Container vulnerability assessment has the ability to scan vulnerabilities in packages installed by the OS package manager in Linux and Windows OS. See the full list of the supported OS and their versions for each of the Azure, AWS, and GCP environments.
Language specific packages – Linux only - Support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the complete list of supported languages for each of the Azure, AWS, and GCP environments.
Image scanning in Azure Private Link - Azure container vulnerability assessment can scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to allow access by trusted services.
Exploitability information - Each vulnerability report is searched through exploitability databases to assist our customers with determining actual risk associated with each reported vulnerability.
Reporting - Container Vulnerability Assessment powered by Microsoft Defender Vulnerability Management provides vulnerability reports using the following recommendations:
The following new preview recommendations report on runtime container vulnerabilities and registry image vulnerabilities, and don't count toward secure score while in preview. The scan engine for the new recommendations is the same as the current GA recommendations, and provides the same findings. The new recommendations are best suited for customers that use the new risk-based view for recommendations and have the Defender CSPM plan enabled.
Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used to and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
Defender for Cloud scans your registry images for known vulnerabilities (CVEs) and provides detailed findings for each scanned image. Scanning and remediating vulnerabilities for container images in the registry helps maintain a secure and reliable software supply chain, reduces the risk of security incidents, and ensures compliance with industry standards.
Defender for Cloud creates an inventory of all container workloads currently running in your Kubernetes clusters and provides vulnerability reports for those workloads by matching the images being used and the vulnerability reports created for the registry images. Scanning and remediating vulnerabilities of container workloads is critical to ensure a robust and secure software supply chain, reduce the risk of security incidents, and ensures compliance with industry standards.
1b3abfa4-9e53-46f1-9627-51f2957f8bba
The following current GA recommendations report on vulnerabilities in containers within a Kubernetes cluster, and on container images within a container registry. These recommendations are best suited for customers that use the classic view for recommendations and do not have Defender CSPM plan enabled.
Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment.
Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads.
Scans your AWS registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment.
Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Elastic Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads.
Scans your GCP registries container images for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment.
Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Google Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads.
5cc3a2c1-8397-456f-8792-fe9d0d4c9145
How Vulnerability Assessment for Images and Containers Works
Scanning images in Defender for Containers supported registries
Note
The Registry access extension must be enabled for vulnerability assessment of images in container registries.
The scan of an image in a container registry creates an inventory of the image and its vulnerability recommendations. The supported container image registries are: Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), Google Container Registry (GCR), and configured external registries. An image is scanned when:
A new image is pushed or imported to the container registry. The image is scanned within a few hours.
Continuous re-scan triggering – continuous re-scan is required to ensure images that have been previously scanned for vulnerabilities are re-scanned to update their vulnerability reports in case a new vulnerability is published.
An image is scanned within 24 hours when it is pulled from the container registry.
Note
In some rare cases, a new image in the registry might take up to 24 hours before scanning.
In addition, the following images are scanned every 24 hours to update their vulnerability recommendations, in the event a new vulnerability is published.
An image is pushed or imported to the container registry in the last 90 days.
An image is pulled from the container registry in the last 30 days.
Scanning containers running in the cluster workload
Containers running in the cluster workload are scanned for vulnerabilities every 24 hours. The scan is agnostic to the running container image's source registry and includes Kubernetes add-ons and third party tools. The relevant recommendations are generated for each vulnerable container.
Note
Agentless scanning for running containers is performed when both the following extensions are enabled:
Agentless machine scanning
K8S API access or Defender sensor
Note
Containers created using images from unsupported container registries will only be scanned if running within the AKS environment.
Recommendations for a running container using an image from a supported container registry, are generated from the container registry image scan, even if a customer doesn't enable Agentless machine scanning.
Note
The container runtime layer can't be scanned for vulnerabilities. In addition, the following containers can't be scanned for vulnerabilities:
Containers in nodes using AKS Ephemeral OS disks
Auto-scale configured AKS clusters may provide only partial results.
Windows OS containers
If I remove an image from my registry, how long before vulnerabilities reports on that image would be removed?
Azure Container Registries notifies Defender for Cloud when images are deleted, and removes the vulnerability assessment for deleted images within one hour. In some rare cases, Defender for Cloud might not be notified on the deletion, and deletion of associated vulnerabilities in such cases might take up to three days.
Learn how to create and configure an Azure Container Registry, the process of pushing container images to Azure Container Registry and explore different authentication methods and security features for Azure Container Registry.