Vulnerability assessment for Azure powered by Qualys

Vulnerability assessment for Azure, powered by Qualys, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents.


In every subscription where this capability is enabled, all images stored in ACR (existing and new) are automatically scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in ACR as well as images that are currently running in AKS that were pulled from an ACR registry. Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every week.

Container vulnerability assessment powered by Qualys has the following capabilities:

Scan triggers

  • One-time triggering
    • Each image pushed/imported to a container registry is scanned shortly after being pushed to a registry. In most cases, the scan is completed within a few minutes, but sometimes it might take up to an hour.
    • Each image pulled from a container registry is scanned if it wasn't scanned in the last seven days.
  • Continuous rescan triggering – Continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
    • Rescan is performed once every 7 days for:
      • images pulled in the last 30 days
      • images currently running on the Kubernetes clusters monitored by the Defender agent


Before you can scan your ACR images, you must enable the Defender for Containers plan on your subscription.

For a list of the types of images and container registries supported by Microsoft Defender for Containers, see Availability.

View and remediate findings

  1. To view the findings, open the Recommendations page. If issues are found, you'll see the recommendation Azure registry container images should have vulnerabilities resolved (powered by Qualys).

    Screenshot showing the recommendation line.

  2. Select the recommendation.

    The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

  3. Select a specific registry to see the repositories in it that have vulnerable repositories.

    Screenshot showing where to select a specific registry.

    The registry details page opens with the list of affected repositories.

  4. Select a specific repository to see the repositories in it that have vulnerable images.

    Screenshot showing select specific image to see vulnerabilities.

    The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

  5. Select a specific image to see the vulnerabilities.

    Select images.

    The list of findings for the selected image opens.

    Screenshot showing list of findings for the selected image.

  6. To learn more about a finding, select the finding.

    The findings details pane opens.

    Screenshot showing details about a specific finding.

    This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

  7. Follow the steps in the remediation section of this pane.

  8. When you've taken the steps required to remediate the security issue, replace the image in your registry:

    1. Push the updated image to trigger a scan.

    2. Check the recommendations page for the recommendation Container registry images should have vulnerability findings resolved-powered by Qualys.

      If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

    3. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.

Disable specific findings


The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

When a finding matches the criteria you've defined in your disable rules, it doesn't appear in the list of findings. Typical scenarios include:

  • Disable findings with severity below medium
  • Disable findings that are nonpatchable
  • Disable findings with CVSS score below 6.5
  • Disable findings with specific text in the security check or category (for example: "RedHat" or "CentOS Security Update for sudo")


To create a rule, you need permissions to edit a policy in Azure Policy.

Learn more in Azure RBAC permissions in Azure Policy.

You can use any of the following criteria:

  • Finding ID
  • CVE
  • Category
  • Security check
  • CVSS v3 scores
  • Severity
  • Patchable status

To create a rule:

  1. From the recommendations detail page for Azure registry container images should have vulnerabilities resolved (powered by Qualys), select Disable rule.

  2. Select the relevant scope.

    Screenshot showing how to create a disable rule for VA findings on registry.

  3. Define your criteria.

  4. Select Apply rule.

  5. To view, override, or delete a rule:

    1. Select Disable rule.
    2. From the scope list, subscriptions with active rules appear as Rule applied. Screenshot showing the scope list.
    3. To view or delete the rule, select the ellipsis menu ("...").

View vulnerabilities for images running on your AKS clusters

Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the Azure running container images should have vulnerabilities resolved - (powered by Qualys) recommendation.

To provide the findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the Defender agent. Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.

Screenshot of recommendations showing your running containers with the vulnerabilities associated with the images used by each container.

Next steps