C-0243 - Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider
Prerequisites
Integrate with cloud provider (see here)
Framework
cis-aks-t1.2.0
Severity
Medium
Description of the the issue
Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to local cloud resources. Azure Defender and other third party products allow images to be scanned for known vulnerabilities.
Related resources
What does this control test
Scan images being deployed to Azure (AKS) for vulnerabilities.
Vulnerability scanning for images stored in Azure Container Registry is generally available in Azure Security Center. This capability is powered by Qualys, a leading provider of information security.
When you push an image to Container Registry, Security Center automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file.
When the scan completes (after about 10 minutes), Security Center provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.
How to check it manually
Remediation
Impact Statement
When using an Azure container registry, you might occasionally encounter problems. For example, you might not be able to pull a container image because of an issue with Docker in your local environment. Or, a network issue might prevent you from connecting to the registry.
Default Value
Images are not scanned by Default.
Example
No example
Updated 9 days ago