Troubleshoot container certification

When you publish your container products to Azure Marketplace, the Azure team validates it to ensure that it's secure. If your container products fail any of the tests, it won't be published. You'll receive an error message that describes the issue.

This article explains common error messages during container publishing, along with related solutions.

Note

If you have questions about this article or suggestions for improvement, contact Partner Center support.

Vulnerability failure

A vulnerability is an exploitable risk and/or an unsecured entry points that can be used by malicious actors for nefarious actions.

Marketplace Container Certification uses MS Defender for cloud, which scans images in ACR for vulnerabilities based on CVSS v3 score (Common Vulnerability Scoring System). All container products with vulnerabilities with CVSS v3 score greater than or equal to 7 are blocked. There might be rare instances where specific CVE IDs with even lower scores are blocked by certification. Certification tries to provide remediation steps for each vulnerability so publishers can fix them.

You can also use MS Defender or open source/paid software such as Aqua Security, Qualys Container Security, Clair, Twist Lock for scanning your images before publishing. You must remove at least high and critical vulnerabilities to ensure high rate of passing.

These tools are just examples of the tools available for scanning online. ISVs are free to choose any other tool, which is the right fit for them (even if it isn't part of the list here) as long as it identifies vulnerabilities.

Note

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, and a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Note

There are rare scenarios where products might have excessive number of vulnerabilities and we aren't able to share results for all of them in certification report. We recommend you to scan such products before publishing. You can also reach out to us at Marketplace Publisher Support to get details in email.

Malware failure

A malware, or malicious software, is a file or program that is designed to be harmful to computer, network or servers.

If you're planning to publish container products, you should scan your product for malware, identify all files that contain malware and remove them before publishing the container product.

If your existing container products have malware, you should deprecate/hide the affected offers and republish the patched product.