Create exemptions and disable vulnerability assessment findings on Container registry images and running images
Article
Note
You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to create an exemption for a resource or subscription.
If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.
When a finding matches the criteria you defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include:
Disable findings with severity below medium
Disable findings for images that the vendor won't fix
You can use a combination of any of the following criteria:
CVE - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
Image digest - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c
OS version - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
Minimum Severity - Select low, medium, high, or critical to exclude vulnerabilities less than the specified severity level.
Fix status - Select the option to exclude vulnerabilities based on their fix status.
Disable rules apply per recommendation, for example, to disable CVE-2017-17512 both on the registry images and runtime images, the disable rule has to be configured in both places.
Note
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Define your criteria. You can use any of the following criteria:
CVE - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
Image digest - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c
OS version - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
Minimum Severity - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.
Fix status - Select the option to exclude vulnerabilities based on their fix status.
In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.
Select Apply rule.
Important
Changes might take up to 24 hours to take effect.
To view, override, or delete a rule
From the recommendations detail page, select Disable rule.
From the scope list, subscriptions with active rules show as Rule applied.
To view or delete the rule, select the ellipsis menu ("...").
Do one of the following:
To view or override a disable rule - select View rule, make any changes you want, and select Override rule.
Learn how to create and configure an Azure Container Registry, the process of pushing container images to Azure Container Registry and explore different authentication methods and security features for Azure Container Registry.
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.
