Use Defender for Containers to scan your Amazon AWS Elastic Container Registry images for vulnerabilities (Preview)

Defender for Containers lets you scan the container images stored in your Amazon AWS Elastic Container Registry (ECR) as part of the protections provided within Microsoft Defender for Cloud.

To enable scanning of vulnerabilities in containers, you have to connect your AWS account to Defender for Cloud and enable Defender for Containers. The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.

Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum. Defender for Containers creates an ECS cluster in a dedicated VPC, an internet gateway, and an S3 bucket in the us-east-1 and eu-central-1 regions to build the software inventory.

Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.

The triggers for an image scan are:

  • On push - Whenever an image is pushed to your registry, Defender for Containers automatically scans that image within 2 hours.

  • Continuous scan - Defender for Containers reassesses the images based on the latest database of vulnerabilities of Trivy. This reassessment is performed weekly for as long as the image is still present in the registry.

Prerequisites

Before you can scan your ECR images:

For a list of the types of images not supported by Microsoft Defender for Containers, see Availability.

Enable vulnerability assessment

To enable vulnerability assessment:

  1. From Defender for Cloud's menu, open Environment settings.

  2. Select the AWS connector that connects to your AWS account.

    Screenshot of Defender for Cloud's environment settings page showing an AWS connector.

  3. In the Monitoring Coverage section of the Containers plan, select Settings.

    Screenshot of Containers settings for the AWS connector.

  4. Turn on Vulnerability assessment.

    Screenshot of the toggle to turn on vulnerability assessment for ECR images.

  5. Select Save > Next: Configure access.

  6. Download the CloudFormation template.

  7. Using the downloaded CloudFormation template, create the stack in AWS as instructed on screen. If you're onboarding a management account, you'll need to run the CloudFormation template both as Stack and as StackSet. It takes up to 30 minutes for the AWS resources to be created. The resources have the prefix defender-for-containers-va.

  8. Select Next: Review and generate.

  9. Select Update.

Findings are available as Defender for Cloud recommendations from 2 hours after vulnerability assessment is turned on. The recommendation also shows any reason that a repository is identified as not scannable ("Not applicable"), such as images pushed more than 3 months before you enabled vulnerability assessment.

View and remediate findings

Vulnerability assessment lists the repositories with vulnerable images as the results of the Elastic container registry images should have vulnerability findings resolved recommendation. From the recommendation, you can identify vulnerable images and get details about the vulnerabilities.

Vulnerability findings for an image are still shown in the recommendation for 48 hours after an image is deleted.

  1. To view the findings, open the Recommendations page. If the scan found issues, you'll see the recommendation Elastic container registry images should have vulnerability findings resolved.

    Screenshot of the Recommendation to remediate findings in ECR images.

  2. Select the recommendation.

    The recommendation details page opens with additional information. This information includes the list of repositories with vulnerable images ("Affected resources") and the remediation steps.

  3. Select specific repositories to the vulnerabilities found in images in those repositories.

    Screenshot of ECR repositories that have vulnerabilities.

    The vulnerabilities section shows the identified vulnerabilities.

  4. To learn more about a vulnerability, select the vulnerability.

    The vulnerability details pane opens.

    Screenshot of vulnerability details in ECR repositories.

    This pane includes a detailed description of the issue and links to external resources to help mitigate the threats.

  5. Follow the steps in the remediation section of the recommendation.

  6. When you've taken the steps required to remediate the security issue, replace the image in your registry:

    1. Push the updated image to trigger a scan.

    2. Check the recommendations page for the recommendation Container registry images should have vulnerability findings resolved.

      If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

    3. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the “old” vulnerable image from your registry.

FAQs

Can I get the scan results via REST API?

Yes. The results are under Sub-Assessments REST API. Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

Next steps

Learn more about: