Scan registry images with Microsoft Defender for Cloud

To scan images in your Azure container registries for vulnerabilities, you can integrate one of the available Azure Marketplace solutions or, if you want to use Microsoft Defender for Cloud, optionally enable Microsoft Defender for container registries at the subscription level.

Registry operations by Microsoft Defender for Cloud

Microsoft Defender for Cloud scans images that are pushed to a registry, imported into a registry, or any images pulled within the last 30 days. If vulnerabilities are detected, recommended remediations appear in Microsoft Defender for Cloud.

After you've taken the recommended steps to remediate the security issue, replace the image in your registry. Microsoft Defender for Cloud rescans the image to confirm that the vulnerabilities are remediated.

For details, see Use Microsoft Defender for container registries.


Microsoft Defender for Cloud authenticates with the registry to pull images for vulnerability scanning. If resource logs are collected for your registry, you'll see registry login events and image pull events generated by Microsoft Defender for Cloud. These events are associated with an alphanumeric ID such as b21cb118-5a59-4628-bab0-3c3f0e434cg6.

Scanning a network-restricted registry

Microsoft Defender for Cloud can scan images in a publicly accessible container registry or one that's protected with network access rules. If network rules are configured (that is, you disable public registry access, configure IP access rules, or create private endpoints), be sure to enable the network setting to allow trusted Microsoft services to access the registry. By default, this setting is enabled in a new container registry.

Next steps