Share via

Azure registry container images should have vulnerabilities resolved

administrator - simple machine mind 0 Reputation points
2025-11-24T20:53:07.58+00:00

Defender for Cloud – ACR recommendation “images should have vulnerabilities resolved” shows Unhealthy with 0 CVEs and can’t scope exemption
In Azure Policy → Compliance, I can see the ASC Default initiative and multiple non-compliant policies, but I still don’t see a straightforward way to mark this ACR recommendation as mitigated/not applicable when there are 0 vulnerabilities.

Questions

How can I get Defender for Cloud to correctly mark this recommendation as Compliant or Not applicable for myregistry when all images currently have 0 vulnerabilities / 0 CVEs?

Is there a known issue or recommended process for scoping an exemption for this specific ACR and recommendation, so that secure score no longer treats it as Unhealthy?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 3,430 Reputation points Microsoft External Staff Moderator
    2025-11-24T21:39:38.3566667+00:00

    Hello administrator - simple machine mind

    Thank you for reaching out to Microsoft Q&A.

    Why does this happen?

    The recommendation logic expects a recent vulnerability scan result, not just zero CVEs.

    If the scan is stale or the registry hasn’t been rescanned recently, the resource remains Unhealthy even with no vulnerabilities.

    This is a known limitation in Defender for Cloud’s compliance evaluation.

    Below are the resolution steps: -

    1. Trigger a fresh vulnerability scan

    Defender for Cloud rescans images:

    Daily for images pushed in the last 90 days.

    When images are pulled in the last 30 days.

    If your images are older, push or re-import them to trigger a scan.

    Ensure Microsoft Defender for Containers plan is enabled, and agentless vulnerability assessment is turned on for ACR.

    For your reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/view-and-remediate-vulnerability-registry-images

    2.) Create an exemption (mark as Not applicable or Mitigated)

    Go to Defender for Cloud → Recommendations → Container registry images should have vulnerability findings resolved.

    Select your ACR resource.

    Click Disable rule or Exempt.

    Define criteria (even if there are no CVEs):

    Image digest (sha256)

    OS version

    Minimum severity

    Fix status

    Provide justification (e.g., “No vulnerabilities detected; accepted risk”).

    After applying, the resource will appear under Not applicable and will no longer impact Secure Score.

    For your reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource

    For your reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/disable-vulnerability-findings-containers-secure-score

    3.) Validate compliance

    After exemption, check Azure Policy → Compliance.

    The recommendation should now show as Not applicable with your justification.

    This also removes its effect on Secure Score.

    For your reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/disable-vulnerability-findings-containers-secure-score

    Please reach out to us in case of any further issue.

    Thanks

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.