View and remediate vulnerabilities for registry images

Defender for Cloud gives its customers the ability to remediate vulnerabilities in container images while still stored in the registry by using the Container registry images should have vulnerability findings resolved (powered by MDVM) recommendation.

Within the recommendation, resources are grouped into tabs:

  • Healthy resources – relevant resources, which either aren't impacted or on which you've already remediated the issue.
  • Unhealthy resources – resources that are still impacted by the identified issue.
  • Not applicable resources – resources for which the recommendation can't give a definitive answer. The not applicable tab also includes reasons for each resource.

If you are using Defender CSPM, first review and remediate vulnerabilities exposed via attack paths, as they pose the greatest risk to your security posture. Then view remediate vulnerabilities for running images, and finally use the following procedures described here to view, remediate, prioritize, and monitor vulnerabilities in your registry images.

View vulnerabilities on a specific container registry

  1. Open the Recommendations page, using the > arrow to open the sublevels. If issues were found, you'll see the recommendation Container registry images should have vulnerability findings resolved (powered by MDVM). Select the recommendation.

    Screenshot showing the line for recommendation container registry images should have vulnerability findings resolved.

  2. The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images ("affected resources") and the remediation steps. Select the affected registry.

    Screenshot showing the recommendation details and affected registries.

  3. This opens the registry details with a list of repositories in it that have vulnerable images. Select the affected repository to see the images in it that are vulnerable.

    Screenshot showing where to select the specific repository.

  4. The repository details page opens. It lists all vulnerable images on that repository with distribution of the severity of vulnerabilities per image. Select the unhealthy image to see the vulnerabilities.

    Screenshot showing where to select the unhealthy image.

  5. The list of vulnerabilities for the selected image opens. To learn more about a finding, select the finding.

    Screenshot showing the list of findings on the specific image.

  6. The vulnerabilities details pane opens. This pane includes a detailed description of the issue and links to external resources to help mitigate the threats, affected resources, and information on the software version that contributes to resolving the vulnerability.

    Screenshot showing the details of the finding on the specific image.

View images affected by a specific vulnerability

  1. Open the Recommendations page. If issues were found, you'll see the recommendation Container registry images should have vulnerability findings resolved (powered by MDVM). Select the recommendation.

    Screenshot showing the line for recommendation container registry images should have vulnerability findings resolved.

  2. The recommendation details page opens with additional information. This information includes the list of vulnerabilities impacting the images. Select the specific vulnerability.

    Screenshot showing the list of vulnerabilities impacting the images.

  3. The vulnerability finding details pane opens. This pane includes a detailed description of the vulnerability, images affected by that vulnerability, and links to external resources to help mitigate the threats, affected resources, and information on the software version that contributes to resolving the vulnerability.

    Screenshot showing the list of images impacted by the vulnerability.

Remediate vulnerabilities

Use these steps to remediate each of the affected images found either in a specific cluster or for a specific vulnerability:

  1. Follow the steps in the remediation section of the recommendation pane.

  2. When you've completed the steps required to remediate the security issue, replace each affected image in your registry or replace each affected image for a specific vulnerability:

    1. Build a new image (including updates for each of the packages) that resolves the vulnerability according to the remediation details.
    2. Push the updated image to trigger a scan and delete the old image. It might take up to 24 hours for the previous image to be removed from the results, and for the new image to be included in the results.
  3. Check the recommendations page for the recommendation Container registry images should have vulnerability findings resolved (powered by MDVM). If the recommendation still appears and the image you've handled still appears in the list of vulnerable images, check the remediation steps again.

Next steps