Vulnerability management for containers - Microsoft Defender for Cloud (original) (raw)

Microsoft Defender for Cloud uses Microsoft Defender Vulnerability Management (MDVM) to identify vulnerabilities in registry images and in container images used by running containers in supported Kubernetes environments. Findings are surfaced as security recommendations in Microsoft Defender for Cloud.

Note

Microsoft Defender for Cloud is transitioning from grouped container vulnerability recommendations to individual recommendations. During the transition, grouped and individual recommendations might appear side by side in the portal. Learn more about transitioning from grouped to individual recommendations.

Container vulnerability assessment is available through Defender for Containers and, for supported scenarios, Defender CSPM. When Defender CSPM is enabled, container vulnerability recommendations can include contextual risk signals and risk-based prioritization.

Registry vulnerability assessment

Registry vulnerability assessment identifies vulnerabilities in container images stored in supported registries before deployment.

Supported registries include:

• Azure Container Registry (ACR)
• Amazon Elastic Container Registry (ECR)
• Google Artifact Registry (GAR)
• Google Container Registry (GCR)
• Configured external registries, such as Docker Hub and JFrog Artifactory

Registry vulnerability assessment requires Registry access to be enabled.

Registry scanning support

Registry scanning supports:

• OS package vulnerability assessment (Linux and Windows)
• Language package vulnerability assessment (Linux only)

For the full list of supported operating systems, package types, registries, and clouds, see the Defender for Containers support matrix.

Runtime scanning for running containers

Runtime container vulnerability assessment evaluates container images used by running containers in supported Kubernetes environments.

There are two runtime scenarios:

• Runtime findings with registry context: Registry-scanned images are mapped to running workloads in the cluster.
  • Requires Registry access and either K8S API access or Defender sensor.
• Registry-agnostic runtime scanning: Images are collected directly from the runtime environment and scanned regardless of the originating registry.
  • Requires Agentless scanning for machines and either Kubernetes API access or Defender sensor.

Runtime assessment can include:

• Customer-owned containers
• Kubernetes add-ons
• Third-party tools running in the cluster

Although runtime assessment can be registry-agnostic, connecting supported registries helps preserve image and repository context for remediation workflows.

Note

Runtime vulnerability assessment scans container images that are running in the cluster. It doesn't scan the container runtime layer.

Runtime vulnerability assessment isn't supported for container images running on Windows nodes or nodes that use AKS ephemeral OS disks. Autoscale-configured AKS clusters might provide partial or no results if any cluster nodes are down at the time of scan.

Scanning behavior and timing

Scanning and workload discovery are asynchronous processes.

For registry vulnerability assessment:

• Newly pushed or imported images are typically scanned within a few hours.
• A daily rescan updates findings for:
  • Images pushed in the last 30 days
  • Images pulled in the last 30 days
  • Images currently running in Kubernetes clusters monitored by Defender for Cloud

For runtime vulnerability assessment:

• Running containers are inventoried approximately every 24 hours when using agentless discovery.
• When using the Defender sensor, inventory updates occur near real time.

Because inventory discovery and vulnerability analysis run on separate cycles, it can take time for newly deployed or updated images to be fully reflected in recommendations.

Deleted images

When an image is deleted from Azure Container Registry, ACR notifies Defender for Cloud. Vulnerability assessment findings for deleted images are usually removed within one hour. In rare cases, Defender for Cloud might not receive the deletion notification immediately, and removal of associated vulnerability findings might take up to three days.

Deleting only a tag might not delete the underlying image manifest. To learn more about deleting images from ACR, see Delete container images in Azure Container Registry.

Related content

• Enable Defender for Containers
• Enable Defender CSPM
• View and remediate vulnerabilities for registry images
• View and remediate vulnerabilities for running containers
• Review access patterns and private cluster support for container vulnerability assessment
• Review network access and permissions requirements for Defender for Containers