Scan registry images with Microsoft Defender for Cloud
To scan images in your Azure container registries for vulnerabilities, you can integrate one of the available Azure Marketplace solutions or, if you want to use Microsoft Defender for Cloud, optionally enable Microsoft Defender for container registries at the subscription level.
- Learn more about Microsoft Defender for container registries
- Learn more about container security in Microsoft Defender for Cloud
Registry operations by Microsoft Defender for Cloud
Microsoft Defender for Cloud scans images that are pushed to a registry, imported into a registry, or any images pulled within the last 30 days. If vulnerabilities are detected, recommended remediations appear in Microsoft Defender for Cloud.
After you've taken the recommended steps to remediate the security issue, replace the image in your registry. Microsoft Defender for Cloud rescans the image to confirm that the vulnerabilities are remediated.
For details, see Use Microsoft Defender for container registries.
Tip
Microsoft Defender for Cloud authenticates with the registry to pull images for vulnerability scanning. If resource logs are collected for your registry, you'll see registry login events and image pull events generated by Microsoft Defender for Cloud. These events are associated with an alphanumeric ID such as b21cb118-5a59-4628-bab0-3c3f0e434cg6
.
Scanning a network-restricted registry
Microsoft Defender for Cloud can scan images in a publicly accessible container registry or one that's protected with network access rules. If network rules are configured (that is, you disable public registry access, configure IP access rules, or create private endpoints), be sure to enable the network setting to allow trusted Microsoft services to access the registry. By default, this setting is enabled in a new container registry.
Next steps
- Learn more about registry access by trusted services.
- To restrict access to a registry using a private endpoint in a virtual network, see Configure Azure Private Link for an Azure container registry.
- To set up registry firewall rules, see Configure public IP network rules.