Subscription has container image vulnerability scanning enabled
defender_container_images_scan_enabled
Azure subscriptions have container image vulnerability assessment enabled for Azure Container Registry via Microsoft Defender for Cloud (ContainerRegistriesVulnerabilityAssessments). Images in registries are evaluated for known package vulnerabilities in their packages and dependencies.
Risk
Without registry scanning, known CVEs in images can reach runtime, enabling RCE, privilege escalation, and lateral movement. This undermines data confidentiality and integrity and can reduce availability through cryptomining or service disruption.
prowler azure --checks defender_container_images_scan_enabled
Recommendation
Enable Defender for Cloud image assessment for registries and adopt shift-left scanning.
- Block deployment of images with high-severity findings
- Rebuild from patched base images regularly
- Enforce least privilege on registry access
- Use image signing and admission controls
Remediation
az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/pricings/Containers?api-version=2023-01-01 --body '{"properties":{"pricingTier":"Standard","extensions":[{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":true}]}}'
- In Azure Portal, open Microsoft Defender for Cloud
- Go to Environment settings and select your subscription
- Open Settings (or Defender plans)
- Find Containers and set Plan to On/Standard
- Enable Container registries vulnerability assessments
- Click Save
Source Code
Resource Type
microsoft.security/pricings
References
- https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender
- https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health
- https://learn.microsoft.com/en-us/troubleshoot/azure/azure-container-registry/image-vulnerability-assessment
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-image-vulnerability-scanning.html