Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The AKS Vulnerability Data API provides you with programmatic, read-only visibility into vulnerabilities detected in AKS-managed platform components. This API is intended for security teams, compliance teams, and platform owners who need authoritative information about vulnerabilities affecting AKS-managed artifacts independent of any specific cluster runtime state.
In this article, you learn how to use the AKS Vulnerability Data API to programmatically retrieve CVE reports for AKS-managed artifacts, including AKS releases, Kubernetes versions, node images, container images, and OS packages. It provides examples of API requests and demonstrates how to interpret the responses to support large-scale CVE analysis, automation, and correlation with security scanner findings. For an overview of the concepts behind the API, see Vulnerability Data API for Azure Kubernetes Service (AKS) overview.
Query for CVE reports
The following examples demonstrate how to query the AKS Vulnerability Data API to retrieve CVE reports for AKS releases, Kubernetes versions, node images, container images, and OS packages.
Query CVEs for an AKS release
# 1. List available AKS releases
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-releases/_index | jq '.aks_release_versions'
# 2. Get CVE report for a specific release
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-releases/v20260104/scan-reports | jq '.'
Query CVEs for a Kubernetes version
# 1. List available Kubernetes versions
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-k8s-releases/_index | jq '.k8s_versions'
# 2. Get CVE report for a specific Kubernetes version
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-k8s-releases/1.32.9/scan-reports | jq '.'
Query CVEs for a node image (VHD)
# 1. List available VHD releases
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-releases/_index | jq '.vhd_release_versions'
# 2. Get CVE report for a specific VHD
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-releases/AKSUbuntu-gen2-2204containerd/202601.13.0/scan-reports | jq '.'
Query CVEs for a specific container image
# Get CVE scan report for a specific tagged container image
curl -s https://cve-api.prod-aks.azure.com/api/v1/container-images/mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.31.11/scan-reports | jq '.'
# Get CVE mitigation history for a container image repository
curl -s https://cve-api.prod-aks.azure.com/api/v1/container-images/mcr.microsoft.com/oss/kubernetes/kube-proxy/mitigation-reports | jq '.'
Query CVEs for a specific OS package
# Get CVE scan report for a specific OS package version
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-packages/openssl/3.0.2-0ubuntu1.20/scan-reports | jq '.'
# Get CVE mitigation history for an OS package
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-packages/openssl/mitigation-reports | jq '.'
Endpoints
The AKS Vulnerability Data API exposes endpoints for retrieving CVE reports for AKS releases, Kubernetes versions, node images, container images, and OS packages. Each endpoint provides access to either an index of available versions or a detailed scan report for a specific version or artifact. The following sections describe each endpoint, the available operations, and the expected request and response formats.
AKS releases
Get AKS release index
The following endpoint returns an index of all AKS release versions with available CVE reports:
GET /api/v1/aks-releases/_index
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-releases/_index
Example response:
{
"aks_release_versions": [
"v20250427",
"v20250519",
"v20250617",
"v20250720",
"v20250808",
"v20250829",
"v20250921",
"v20251012",
"v20260104"
],
"report_time": "2026-01-27T16:19:36.181877605Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
aks_release_versions |
string[] | Available AKS release versions, sorted chronologically |
report_time |
string (ISO 8601) | When this index was last generated |
Get AKS release CVE report
The following endpoint returns a detailed CVE report for a specific AKS release version, including all container images in system namespaces, their active CVEs, and the delta of CVEs compared to the previous release:
GET /api/v1/aks-releases/{version}/scan-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
version |
string | AKS release version from the index | v20260104 |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-releases/v20260104/scan-reports
Example response (abbreviated):
{
"aks_release_version": "v20260104",
"previous_aks_release_version": "v20251012",
"container_targets": [
{
"pod_namespace": "kube-system",
"container_name": "coredns",
"active_container_images": {
"image_repo_tags": [
"mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-9"
],
"image_repo_digests": [
"mcr.microsoft.com/oss/v2/kubernetes/coredns:v1.9.4-9@sha256:718de5d12a..."
]
},
"active_cves": [
{"id": "CVE-2025-47914"},
{"id": "CVE-2025-58181"},
{"id": "CVE-2025-61727"},
{"id": "CVE-2025-61729"}
],
"removed_container_images_from_previous_release": {
"image_repo_tags": [],
"image_repo_digests": []
},
"mitigated_cves_from_previous_release": []
},
{
"pod_namespace": "gatekeeper-system",
"container_name": "azure-policy-audit",
"active_container_images": {
"image_repo_tags": [
"mcr.microsoft.com/azure-policy/policy-kubernetes-audit:1.15.3"
],
"image_repo_digests": [
"mcr.microsoft.com/azure-policy/policy-kubernetes-audit:1.15.3@sha256:67745758..."
]
},
"active_cves": [
{"id": "CVE-2025-61727"},
{"id": "CVE-2025-61729"}
],
"removed_container_images_from_previous_release": {
"image_repo_tags": [
"mcr.microsoft.com/azure-policy/policy-kubernetes-audit:1.14.2"
],
"image_repo_digests": [
"mcr.microsoft.com/azure-policy/policy-kubernetes-audit:1.14.2@sha256:33218f96..."
]
},
"mitigated_cves_from_previous_release": [
{"id": "CVE-2025-47912"},
{"id": "CVE-2025-47914"},
{"id": "CVE-2025-58181"}
]
}
],
"report_time": "2026-01-27T16:19:36.181877605Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
aks_release_version |
string | Current AKS release version |
previous_aks_release_version |
string | Previous release version (used for delta calculations) |
container_targets |
AKSReleaseContainerTarget[] | All container components in this release |
report_time |
string (ISO 8601) | Report generation timestamp |
Kubernetes version releases
Get Kubernetes versions index
The following endpoint returns an index of all Kubernetes versions with available CVE reports:
GET /api/v1/aks-k8s-releases/_index
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-k8s-releases/_index
Example response:
{
"k8s_versions": [
"1.27.102",
"1.27.103",
"1.28.100",
"1.29.14",
"1.30.0",
"1.30.14",
"1.31.1",
"1.32.0",
"1.32.10",
"1.33.0",
"1.33.6",
"1.34.0",
"1.34.2"
],
"report_time": "2026-01-27T16:14:37.928201259Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
k8s_versions |
string[] | Available Kubernetes versions, sorted by semver |
report_time |
string (ISO 8601) | When this index was last generated |
Get Kubernetes version CVE report
The following endpoint returns the CVE report for a specific Kubernetes version, detailing vulnerabilities in the container images used by core Kubernetes components and AKS add-ons for that version:
GET /api/v1/aks-k8s-releases/{version}/scan-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
version |
string | Kubernetes version from the index | 1.33.2 |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/aks-k8s-releases/1.33.2/scan-reports
Example response (abbreviated):
{
"k8s_version": "1.33.2",
"container_targets": [
{
"container_image": "mcr.microsoft.com/oss/kubernetes/kube-apiserver",
"active_container_images": {
"image_repo_tags": [
"mcr.microsoft.com/oss/kubernetes/kube-apiserver:v1.33.2"
],
"image_repo_digests": [
"mcr.microsoft.com/oss/kubernetes/kube-apiserver:v1.33.2@sha256:abc123..."
]
},
"active_cves": [
{"id": "CVE-2025-47912"},
{"id": "CVE-2025-58181"}
]
},
{
"container_image": "mcr.microsoft.com/aks/aks-app-routing-operator",
"active_container_images": {
"image_repo_tags": [
"mcr.microsoft.com/aks/aks-app-routing-operator:0.0.3"
],
"image_repo_digests": [
"mcr.microsoft.com/aks/aks-app-routing-operator:0.0.3@sha256:c1ff16ca..."
]
},
"active_cves": [
{"id": "CVE-2023-39318"},
{"id": "CVE-2023-39319"},
{"id": "CVE-2023-39325"}
]
}
],
"report_time": "2026-01-27T16:14:37.928201259Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
k8s_version |
string | Kubernetes version (for example, "1.33.2") |
container_targets |
AKSK8SContainerTarget[] | Container images for this Kubernetess version |
report_time |
string (ISO 8601) | Report generation timestamp |
VHD (node image) releases
Get VHD releases index
The following endpoint returns an index of all VHD releases with available CVE reports:
GET /api/v1/vhd-releases/_index
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-releases/_index
Example response (abbreviated):
{
"vhd_release_versions": [
"AKSAzureLinux-gen1/202507.02.0",
"AKSAzureLinux-gen2/202512.06.0",
"AKSAzureLinux-gen2fips/202510.03.0",
"AKSAzureLinuxV3-gen2/202511.20.0",
"AKSCBLMarinerV2-gen2/202508.20.0",
"AKSUbuntu-gen1-2204containerd/202601.13.0",
"AKSUbuntu-gen2-2404containerd/202601.13.0"
],
"report_time": "2026-01-27T16:21:23.056129543Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
vhd_release_versions |
string[] | Available VHD releases in {distro}/{version} format |
report_time |
string (ISO 8601) | When this index was last generated |
Available distros:
| Distro prefix | Description |
|---|---|
AKSAzureLinux-gen1 |
Azure Linux V2, Generation 1 |
AKSAzureLinux-gen2 |
Azure Linux V2, Generation 2 |
AKSAzureLinux-gen1fips |
Azure Linux V2, Gen 1, FIPS-enabled |
AKSAzureLinux-gen2fips |
Azure Linux V2, Gen 2, FIPS-enabled |
AKSAzureLinux-gen2kata |
Azure Linux V2, Gen 2, Kata containers |
AKSAzureLinux-gen2tl |
Azure Linux V2, Gen 2, TL variant |
AKSAzureLinuxV3-gen1 |
Azure Linux V3, Generation 1 |
AKSAzureLinuxV3-gen2 |
Azure Linux V3, Generation 2 |
AKSAzureLinuxV3-gen1fips |
Azure Linux V3, Gen 1, FIPS-enabled |
AKSAzureLinuxV3-gen2fips |
Azure Linux V3, Gen 2, FIPS-enabled |
AKSAzureLinuxV3-gen2tl |
Azure Linux V3, Gen 2, TL variant |
AKSCBLMarinerV2-gen1 |
CBL-Mariner V2, Generation 1 |
AKSCBLMarinerV2-gen2 |
CBL-Mariner V2, Generation 2 |
AKSCBLMarinerV2-gen1fips |
CBL-Mariner V2, Gen 1, FIPS-enabled |
AKSCBLMarinerV2-gen2fips |
CBL-Mariner V2, Gen 2, FIPS-enabled |
AKSCBLMarinerV2-gen2kata |
CBL-Mariner V2, Gen 2, Kata containers |
AKSCBLMarinerV2-gen2tl |
CBL-Mariner V2, Gen 2, TL variant |
AKSUbuntu-gen1-2004fipscontainerd |
Ubuntu 20.04, Gen 1, FIPS |
AKSUbuntu-gen1-2204containerd |
Ubuntu 22.04, Generation 1 |
AKSUbuntu-gen1-2404containerd |
Ubuntu 24.04, Generation 1 |
AKSUbuntu-gen2-2004cvmcontainerd |
Ubuntu 20.04, Gen 2, Confidential VM |
AKSUbuntu-gen2-2004fipscontainerd |
Ubuntu 20.04, Gen 2, FIPS |
AKSUbuntu-gen2-2204containerd |
Ubuntu 22.04, Generation 2 |
AKSUbuntu-gen2-2404containerd |
Ubuntu 24.04, Generation 2 |
AKSUbuntu-gen2-2204tlcontainerd |
Ubuntu 22.04, Gen 2, TL variant |
AKSUbuntu-gen2-2404tlcontainerd |
Ubuntu 24.04, Gen 2, TL variant |
Get VHD release CVE report
The following endpoint returns the CVE report for a specific VHD release, including both the OS packages and container images that are included in that release:
GET /api/v1/vhd-releases/{distro}/{version}/scan-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
distro |
string | Linux distribution identifier | AKSUbuntu-gen2-2204containerd |
version |
string | VHD release version | 202601.13.0 |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-releases/AKSUbuntu-gen2-2204containerd/202601.13.0/scan-reports
Example response (abbreviated):
{
"distro_name": "AKSUbuntu/gen2/2204containerd",
"vhd_release_version": "202601.13.0",
"previous_vhd_release_version": "202512.06.0",
"os_package_targets": [
{
"name": "libtasn1-6",
"version": "4.18.0-4ubuntu0.2",
"active_cves": [],
"previous_version": "4.18.0-4ubuntu0.1",
"mitigated_cves_from_previous_release": [
{"id": "CVE-2021-46848"},
{"id": "CVE-2025-13151"}
]
},
{
"name": "python3.10",
"version": "3.10.12-1~22.04.13",
"active_cves": [],
"previous_version": "3.10.12-1~22.04.12",
"mitigated_cves_from_previous_release": [
{"id": "CVE-2025-13836"}
]
}
],
"container_targets": [
{
"container_image": "mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images",
"active_container_images": {
"image_repo_tags": [
"mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.24.1-main-11-14-2025-15146744-cfg"
],
"image_repo_digests": [
"mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.24.1-main-11-14-2025-15146744-cfg@sha256:6ce08d12..."
]
},
"active_cves": [],
"removed_container_images_from_previous_release": {
"image_repo_tags": [
"mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.24.0-main-10-20-2025-fe8f6d51-targetallocator"
],
"image_repo_digests": [
"mcr.microsoft.com/azuremonitor/containerinsights/ciprod/prometheus-collector/images:6.24.0-main-10-20-2025-fe8f6d51-targetallocator@sha256:314e20ca..."
]
},
"mitigated_cves_from_previous_release": [
{"id": "CVE-2025-47914"},
{"id": "CVE-2025-4802"},
{"id": "CVE-2025-58181"},
{"id": "CVE-2025-61727"},
{"id": "CVE-2025-61729"}
]
}
],
"report_time": "2026-01-27T16:21:23.056129543Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
distro_name |
string | Linux distribution name (for example, "AKSAzureLinux/gen2") |
vhd_release_version |
string | Current VHD release version |
previous_vhd_release_version |
string | Previous VHD release version |
os_package_targets |
AKSVHDOSPackageTarget[] | OS packages in this VHD |
container_targets |
AKSVHDContainerTarget[] | Container images bundled in this VHD |
report_time |
string (ISO 8601) | Report generation timestamp |
Container images
The container images endpoints provide per-image CVE scan reports and cross-release mitigation tracking for individual container images. These endpoints don't have an _index listing; you navigate by the full image path.
Get container image CVE scan report
The following endpoint retrieves a CVE scan report for a specific container image identified by its full image path and tag:
GET /api/v1/container-images/{image}:{tag}/scan-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
image |
string | Full image name including registry | mcr.microsoft.com/oss/kubernetes/kube-proxy |
tag |
string | Image tag | v1.31.11 |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/container-images/mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.31.11/scan-reports
Example response (abbreviated):
{
"image_repo_tags": [
"mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.31.11"
],
"image_repo_digests": [
"mcr.microsoft.com/oss/kubernetes/kube-proxy:v1.31.11@sha256:abc123..."
],
"report_time": "2026-02-20T16:12:42.081442479Z",
"active_cves": [
{
"scanner": {
"name": "trivy",
"version": "0.69.1"
},
"cves": [
{"id": "CVE-2024-13176"},
{"id": "CVE-2025-47914"}
]
}
]
}
Response fields:
| Field | Type | Description |
|---|---|---|
image_repo_tags |
string[] | Image tags for the scanned image |
image_repo_digests |
string[] | Image digests for all supported platforms |
report_time |
string (ISO 8601) | Report generation timestamp |
active_cves |
CVEList[] | Active CVEs grouped by scanner |
Get container image CVE mitigation report
The following endpoint retrieves a CVE mitigation report for a specific container image repository and shows which CVEs were seen in which component versions and releases, and in which versions and releases they were mitigated:
GET /api/v1/container-images/{image}/mitigation-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
image |
string | Full image name including registry (without tag) | mcr.microsoft.com/oss/kubernetes/kube-proxy |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/container-images/mcr.microsoft.com/oss/kubernetes/kube-proxy/mitigation-reports
Example response (abbreviated):
{
"container_image": "mcr.microsoft.com/oss/kubernetes/kube-proxy",
"mitigations": [
{
"cve": {"id": "CVE-2023-2253"},
"seen_in_component_versions": ["v1.27.102-akslts"],
"seen_in_aks_release_versions": [],
"seen_in_aks_k8s_release_versions": [],
"seen_in_vhd_release_versions": ["AKSAzureLinux-gen1/202507.02.0"],
"mitigated_in_component_versions": [],
"mitigated_in_aks_release_versions": [],
"mitigated_in_aks_k8s_release_versions": [],
"mitigated_in_vhd_release_versions": []
}
]
}
Response fields:
| Field | Type | Description |
|---|---|---|
container_image |
string | Image name without tag |
mitigations |
CVEMitigation[] | CVE mitigation entries for this image |
VHD OS packages
The VHD OS package endpoints provide per-package CVE scan reports and cross-release mitigation tracking for individual OS packages installed in VHD node images. These endpoints don't have an _index listing; you navigate by the package name.
Get VHD OS package CVE scan report
The following endpoint retrieves a CVE scan report for a specific OS package version installed in VHD node images:
GET /api/v1/vhd-packages/{name}/{version}/scan-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
name |
string | OS package name (lowercase) | openssl |
version |
string | Package version | 3.0.2-0ubuntu1.20 |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-packages/openssl/3.0.2-0ubuntu1.20/scan-reports
Example response:
{
"name": "openssl",
"version": "3.0.2-0ubuntu1.20",
"active_cves": [
{"id": "CVE-2025-15467"},
{"id": "CVE-2025-68160"}
],
"report_time": "2026-02-20T16:14:09.253455099Z"
}
Response fields:
| Field | Type | Description |
|---|---|---|
name |
string | Package name |
version |
string | Package version |
active_cves |
CVE[] | Active CVEs with available fixes |
report_time |
string (ISO 8601) | Report generation timestamp |
Get VHD OS package CVE mitigation report
The following endpoint retrieves a CVE mitigation report for a specific OS package and shows which CVEs were seen in which package versions and VHD releases, and in which versions they were mitigated:
GET /api/v1/vhd-packages/{name}/mitigation-reports
Path parameters:
| Parameter | Type | Description | Example |
|---|---|---|---|
name |
string | OS package name (lowercase) | openssl |
Example request:
curl -s https://cve-api.prod-aks.azure.com/api/v1/vhd-packages/openssl/mitigation-reports
Example response (abbreviated):
{
"package_name": "openssl",
"mitigations": [
{
"cve": {"id": "CVE-2025-15467"},
"seen_in_component_versions": ["3.3.3-2.azl3", "3.3.3-3.azl3"],
"seen_in_aks_release_versions": [],
"seen_in_aks_k8s_release_versions": [],
"seen_in_vhd_release_versions": ["AKSAzureLinuxV3-gen1/202507.02.0"],
"mitigated_in_component_versions": [],
"mitigated_in_aks_release_versions": [],
"mitigated_in_aks_k8s_release_versions": [],
"mitigated_in_vhd_release_versions": []
}
]
}
Response fields:
| Field | Type | Description |
|---|---|---|
package_name |
string | OS package name |
mitigations |
CVEMitigation[] | CVE mitigation entries for this package |
Data models
The following sections describe the data models returned by the AKS Vulnerability Data API, including the structure of CVE entries, container image references, AKS release components, VHD OS packages, and the relationships between them.
CVE
The CVE data model is a Common Vulnerabilities and Exposures identifier.
| Field | Type | Description |
|---|---|---|
id |
string | CVE identifier (for example, "CVE-2024-13176", "GHSA-2464-8j7c-4cjm") |
ContainerImages
The ContainerImages data model represents a set of container image references, including both human-readable tags and content-addressable digests.
| Field | Type | Description |
|---|---|---|
image_repo_tags |
string[] | Image tags (for example, "mcr.microsoft.com/oss/kubernetes/coredns:v1.9.4-9") |
image_repo_digests |
string[] | Image digests for all supported platforms (for example, "mcr.microsoft.com/oss/kubernetes/coredns:v1.9.4-9@sha256:abc...") |
Note
Digests include all Linux platform variants (amd64, arm64) from multi-arch manifests. This allows matching CVE data regardless of which platform-specific digest your node pulled.
AKSReleaseContainerTarget
The AKSReleaseContainerTarget data model represents a container component within a specific AKS release, identified by the pod namespace and container name where it runs, along with the container images it uses and the CVEs affecting it.
| Field | Type | Description |
|---|---|---|
pod_namespace |
string | Kubernetes namespace (for example, "kube-system", "calico-system") |
container_name |
string | Container name (for example, "coredns", "calico-node") |
active_container_images |
ContainerImages | Container images currently running for this component |
active_cves |
CVE[] | CVEs with available fixes currently affecting this component |
removed_container_images_from_previous_release |
ContainerImages | Images that were present in the previous release but are no longer running |
mitigated_cves_from_previous_release |
CVE[] | CVEs that existed in the previous release but have been fixed in this release |
AKSK8SContainerTarget
The AKSK8SContainerTarget data model represents a container image associated with a specific Kubernetes version, including the tagged image references and digests for that image and the CVEs affecting it.
| Field | Type | Description |
|---|---|---|
container_image |
string | Image name without tag (for example, "mcr.microsoft.com/oss/kubernetes/kube-apiserver") |
active_container_images |
ContainerImages | Tagged image references and digests |
active_cves |
CVE[] | Active CVEs with available fixes |
AKSVHDContainerTarget
The AKSVHDContainerTarget data model represents a container image that's included in a VHD node image, along with the tagged image references, digests, and CVEs affecting it.
| Field | Type | Description |
|---|---|---|
container_image |
string | Image name without tag |
active_container_images |
ContainerImages | Tagged image references and digests |
active_cves |
CVE[] | Active CVEs with available fixes |
removed_container_images_from_previous_release |
ContainerImages | Images removed since the previous VHD release |
mitigated_cves_from_previous_release |
CVE[] | CVEs fixed since the previous VHD release |
AKSVHDOSPackageTarget
The AKSVHDOSPackageTarget data model represents an OS-level package installed in a VHD node image, along with the version installed, the CVEs affecting it, and any changes from the previous VHD release.
| Field | Type | Description |
|---|---|---|
name |
string | Package name (for example, "kernel", "containerd", "systemd") |
version |
string | Package version (for example, "6.1.109.2-1.cm2") |
active_cves |
CVE[] | Active CVEs with available fixes |
previous_version |
string | Version from the previous VHD release (empty if unchanged) |
mitigated_cves_from_previous_release |
CVE[] | CVEs fixed since the previous VHD release |
CVEScanner
The CVEScanner data model represents the metadata for a vulnerability scanner that produces CVE scan results for container images.
| Field | Type | Description |
|---|---|---|
name |
string | Scanner name (for example, "trivy") |
version |
string | Scanner version (for example, "0.69.1") |
CVEList
The CVEList data model represents a set of CVEs detected by a particular vulnerability scanner for a given container image. Each entry associates the scanner metadata with the list of CVEs it detected.
| Field | Type | Description |
|---|---|---|
scanner |
CVEScanner | The scanner that produced these results |
cves |
CVE[] | CVEs detected by this scanner |
CVEMitigation
The CVEMitigation data model tracks a single CVE across component versions and release types, showing where it was observed and where it was mitigated.
| Field | Type | Description |
|---|---|---|
cve |
CVE | The CVE being tracked |
seen_in_component_versions |
string[] | Component versions (image tags or package versions) where this CVE was detected |
seen_in_aks_release_versions |
string[] | AKS release versions where this CVE was detected |
seen_in_aks_k8s_release_versions |
string[] | Kubernetes release versions where this CVE was detected |
seen_in_vhd_release_versions |
string[] | VHD release versions where this CVE was detected |
mitigated_in_component_versions |
string[] | Component versions where this CVE was fixed |
mitigated_in_aks_release_versions |
string[] | AKS release versions where this CVE was fixed |
mitigated_in_aks_k8s_release_versions |
string[] | Kubernetes release versions where this CVE was fixed |
mitigated_in_vhd_release_versions |
string[] | VHD release versions where this CVE was fixed |
Delta tracking
AKS release and VHD release reports include delta fields that compare the current release to the previous one:
mitigated_cves_from_previous_release: CVEs that were present in the previous release but are no longer detected. This means the vulnerability was fixed (for example, via a component version bump).removed_container_images_from_previous_release: Container images that were running in the previous release but are absent in the current release.
Note
Kubernetes version reports don't include delta fields.
Multi-architecture digests
Each container image might include multiple digest references covering different CPU architectures (amd64, arm64). The API includes all Linux platform digests from multi-architecture manifests, so you can match CVE data regardless of which specific platform digest your node pulled.
Report version formats
The AKS Vulnerability Data API reports use different versioning schemes depending on the type of release being reported. The following table summarizes the formats used for AKS releases, Kubernetes versions, and VHD releases:
| Release type | Format | Example |
|---|---|---|
| AKS release | v{YYYYMMDD} |
v20260104 |
| Kubernetes version | Semver | 1.33.2 |
| VHD release | {distro}/{YYYYMM.DD.patch} |
AKSAzureLinux-gen2/202512.06.0 |
Related content
For more information about the AKS Vulnerability Data API, see Vulnerability Data API for Azure Kubernetes Service (AKS) overview.