Vulnerability assessment for Azure powered by Qualys

Vulnerability assessment for Azure, powered by Qualys, is an out-of-box solution that empowers security teams to easily discover and remediate vulnerabilities in Linux container images, with zero configuration for onboarding, and without deployment of any agents.

Note

• This offering is only available for customers using the Qualys offering prior to November 15, 2023. Customers that onboarded to Defender for Containers after this date should use Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management.
• This feature supports scanning of images in the Azure Container Registry (ACR) only. If you want to find vulnerabilities stored in other container registries, you can import the images into ACR, after which the imported images are scanned by the built-in vulnerability assessment solution. Learn how to import container images to a container registry.

In every subscription where this capability is enabled, all images stored in ACR (existing and new) are automatically scanned for vulnerabilities without any extra configuration of users or registries. Recommendations with vulnerability reports are provided for all images in ACR as well as images that are currently running in AKS that were pulled from an ACR registry. Images are scanned shortly after being added to a registry, and rescanned for new vulnerabilities once every week.

Container vulnerability assessment powered by Qualys has the following capabilities:

• Scanning OS packages - container vulnerability assessment can scan vulnerabilities in packages installed by the OS package manager in Linux. See the full list of the supported OS and their versions.

• Language specific packages – support for language specific packages and files, and their dependencies installed or copied without the OS package manager. See the full list of supported languages.

• Image scanning in Azure Private Link - Azure container vulnerability assessment provides the ability to scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to allow access by trusted services.

• Reporting - Container Vulnerability Assessment for Azure powered by Qualys provides vulnerability reports using the following recommendations:

  Recommendation	Description	Assessment Key
  Azure registry container images should have vulnerabilities resolved (powered by Qualys)	Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers security posture and protect them from attacks.	dbd0cb49-b563-45e7-9724-889e799fa648
  Azure running container images should have vulnerabilities resolved - (powered by Qualys)	Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers security posture and protect them from attacks.	41503391-efa5-47ee-9282-4eff6131462c

• Query vulnerability information via the Azure Resource Graph - Ability to query vulnerability information via the Azure Resource Graph. Learn how to query recommendations via the ARG.

• Query vulnerability information via sub-assessment API - You can get scan results via REST API. See the subassessment list.

• Support for exemptions - Learn how to create exemption rules for a management group, resource group, or subscription.

• Support for disabling vulnerability findings - Learn how to disable vulnerability assessment findings on Container registry images.

Scan triggers

• One-time triggering
  • Each image pushed/imported to a container registry is scanned shortly after being pushed to a registry. In most cases, the scan is completed within a few minutes, but sometimes it might take up to an hour.
  • Each image pulled from a container registry is scanned if it wasn't scanned in the last seven days.
• Continuous rescan triggering – Continuous rescan is required to ensure images that have been previously scanned for vulnerabilities are rescanned to update their vulnerability reports in case a new vulnerability is published.
  • Rescan is performed once every 7 days for:
    • images pulled in the last 30 days
    • images currently running on the Kubernetes clusters monitored by the Defender agent

Prerequisites

Before you can scan your ACR images, you must enable the Defender for Containers plan on your subscription.

For a list of the types of images and container registries supported by Microsoft Defender for Containers, see Availability.

View and remediate findings

1. To view the findings, open the Recommendations page. If issues are found, you'll see the recommendation Azure registry container images should have vulnerabilities resolved (powered by Qualys).

   

2. Select the recommendation.

   The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("Affected resources") and the remediation steps.

3. Select a specific registry to see the repositories in it that have vulnerable repositories.

   

   The registry details page opens with the list of affected repositories.

4. Select a specific repository to see the repositories in it that have vulnerable images.

   

   The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

5. Select a specific image to see the vulnerabilities.

   

   The list of findings for the selected image opens.

   

6. To learn more about a finding, select the finding.

   The findings details pane opens.

   

   This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

7. Follow the steps in the remediation section of this pane.

8. When you've taken the steps required to remediate the security issue, replace the image in your registry:

   1. Push the updated image to trigger a scan.

   2. Check the recommendations page for the recommendation Container registry images should have vulnerability findings resolved-powered by Qualys.

      If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

   3. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.

Disable specific findings

Note

The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

When a finding matches the criteria you've defined in your disable rules, it doesn't appear in the list of findings. Typical scenarios include:

• Disable findings with severity below medium
• Disable findings that are nonpatchable
• Disable findings with CVSS score below 6.5
• Disable findings with specific text in the security check or category (for example: "RedHat" or "CentOS Security Update for sudo")

Important

To create a rule, you need permissions to edit a policy in Azure Policy.

Learn more in Azure RBAC permissions in Azure Policy.

You can use any of the following criteria:

• Finding ID
• CVE
• Category
• Security check
• CVSS v3 scores
• Severity
• Patchable status

To create a rule:

1. From the recommendations detail page for Azure registry container images should have vulnerabilities resolved (powered by Qualys), select Disable rule.

2. Select the relevant scope.

   

3. Define your criteria.

4. Select Apply rule.

5. To view, override, or delete a rule:

   1. Select Disable rule.
   2. From the scope list, subscriptions with active rules appear as Rule applied.
   3. To view or delete the rule, select the ellipsis menu ("...").

View vulnerabilities for images running on your AKS clusters

Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the Azure running container images should have vulnerabilities resolved - (powered by Qualys) recommendation.

To provide the findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the Defender agent. Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.

Next steps

• Learn more about the Defender for Cloud Defender plans.
• Check out common questions about Defender for Containers.