Disable Specific Vulnerability Findings

Implementation Effort: Low
Disabling specific vulnerability findings is a targeted administrative task that can be performed directly in the Defender for Cloud portal without requiring infrastructure changes.

User Impact: Low
This action is limited to security administrators and does not affect end users or application functionality.

Overview

Microsoft Defender for Containers allows organizations to disable specific vulnerability findings when remediation is not feasible or necessary. This helps reduce alert fatigue and focus attention on actionable risks. Disabling findings ensures they do not impact the secure score or appear in vulnerability reports.

Typical use cases include:

• Findings with low severity that are accepted risks.
• Vulnerabilities in images that vendors will not fix.
• Findings in legacy systems that are isolated or scheduled for decommissioning.

To disable findings:

1. Navigate to the recommendation (e.g., "Container registry images should have vulnerability findings resolved" or "Containers running in Azure should have vulnerability findings resolved").
2. Select Disable rule.
3. Define the scope (subscription, resource group, or specific resource).
4. Set criteria such as:
   • CVE ID (e.g., CVE-2020-1347)
   • Image digest (e.g., sha256:abc123...)
   • OS version (e.g., ubuntu_linux_20.04)
   • Minimum severity (e.g., exclude findings below "High")
   • Fix status (e.g., exclude findings with no available fix)

This supports the Zero Trust principle of "Verify Explicitly" by allowing organizations to document and control exceptions while maintaining visibility into accepted risks.

Risks if not implemented: Without this capability, teams may be overwhelmed by non-actionable findings, leading to alert fatigue and potential oversight of critical issues.

Reference

• Create exemptions and disable vulnerability assessment findings
• Disable vulnerability findings (Secure Score)