Review & Remediate Vulnerabilities for Registry Images

Implementation Effort: Medium
This task involves enabling vulnerability assessments, reviewing CVE findings in container registries, and coordinating with DevOps teams to patch or rebuild affected images.

User Impact: Low
Only security and DevOps teams are involved in reviewing and remediating vulnerabilities in registry images; end users are not affected.

Overview

Microsoft Defender for Containers provides vulnerability assessments for container images stored in registries, such as Azure Container Registry (ACR). These assessments help identify Common Vulnerabilities and Exposures (CVEs) in images before they are deployed, allowing teams to remediate issues early in the container lifecycle.

To review and remediate vulnerabilities:

• Go to Microsoft Defender for Cloud > Recommendations.
• Look for the recommendation: "Container images in Azure registry should have vulnerability findings resolved".
• Select the recommendation to open the details page.
• Under the Findings tab, review the list of vulnerabilities (CVEs) affecting each image.
• For each CVE, view:
  • Affected images
  • Software versions that resolve the issue
  • External links for patching guidance
• Remediate by:
  • Updating base images or dependencies
  • Rebuilding and pushing updated images to the registry
  • Automating this process in CI/CD pipelines

This process supports the Zero Trust principle of "Verify Explicitly" by ensuring that only validated, vulnerability-free images are deployed into production environments.

Risks if not implemented: If registry images are not regularly scanned and remediated, vulnerable containers may be deployed, increasing the risk of exploitation and supply chain attacks.

Reference

• View and remediate vulnerability assessment findings for registry images (risk-based)
• View and remediate vulnerabilities for registry images (secure score)
• Vulnerability assessments for Defender for Containers supported environments