Defender AKS images vulnerability report still showing remediated vulnerabilities

Question

Defender AKS images vulnerability report still showing remediated vulnerabilities

Gomolemo 85

We pull AKS running images vulnerabilities report daily and assign devs to work remediating the vulnerabilities.

But we identified some discrepancies, that even if we have remediated the vulnerabilities they still show up in the report.

I am curious to know how Defender for cloud assess the images and why they still show on the report even though that have been remediated.

Manish Deshpande 2,040 Reputation points Microsoft External Staff Moderator

2025-12-18T08:07:46.8266667+00:00
Hello @Gomolemo

Could you please help us with these questions to understand the issue better.

Which image/version/build is currently deployed?

Has anything been updated or changed recently (images, VM size, OS version, nodepool version)?

Are you using the same version in all environments (Dev/QA/Prod)?

Do you see abnormal CPU/memory/disk/network patterns?

Logs show warnings or errors?

Any networking or identity/role changes?
VEMULA SRISAI 5,825 Reputation points Microsoft External Staff Moderator

2025-12-22T07:19:24.5033333+00:00

Gomolemo Just checking in were you able to confirm if the updated image digest is deployed in your AKS cluster and the old vulnerable image removed from the registry? Also, keep in mind that Defender for Cloud may still show the previous vulnerabilities until the next scan cycle completes. Let me know if the report has updated or if you’re still seeing the same findings.

1 answer

Your answer

Manish Deshpande 2,040 Reputation points Microsoft External Staff Moderator

2025-12-18T08:07:46.8266667+00:00

Hello @Gomolemo

Could you please help us with these questions to understand the issue better.

Which image/version/build is currently deployed?

Has anything been updated or changed recently (images, VM size, OS version, nodepool version)?

Are you using the same version in all environments (Dev/QA/Prod)?

Do you see abnormal CPU/memory/disk/network patterns?

Logs show warnings or errors?

Any networking or identity/role changes?
VEMULA SRISAI 5,825 Reputation points Microsoft External Staff Moderator

2025-12-22T07:19:24.5033333+00:00

Gomolemo Just checking in were you able to confirm if the updated image digest is deployed in your AKS cluster and the old vulnerable image removed from the registry? Also, keep in mind that Defender for Cloud may still show the previous vulnerabilities until the next scan cycle completes. Let me know if the report has updated or if you’re still seeing the same findings.

Answer 1

Hello Gomolemo,

The reason you still see those vulnerabilities in the AKS report is because Defender for Cloud evaluates vulnerabilities based on the exact image digest that is currently running in your AKS cluster, not the tag. Even if you pushed a fixed image, if the cluster is still running pods based on the old digest, Defender will continue to report the old vulnerabilities.

Another point to note is that Defender does not update immediately. The registry scan and AKS cluster inventory refresh run on scheduled intervals. Until both have refreshed, the report may continue to show the older vulnerability state.

Also, if the old vulnerable image still exists in the container registry, Defender will list it in the report even if it is no longer deployed.

Once the patched digest is actually deployed in AKS, the old image is removed from the registry, and Defender completes its next scan cycle, the vulnerabilities will no longer appear in the report.

For your reference

https://docs.azure.cn/en-us/defender-for-cloud/view-and-remediate-vulnerabilities-for-images

https://learn.microsoft.com/en-us/azure/defender-for-cloud/view-and-remediate-vulnerability-assessment-findings-secure-score

Share via

Defender AKS images vulnerability report still showing remediated vulnerabilities

1 answer

Your answer