C-0243 - Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider

Prerequisites

Integrate with cloud provider (see here)

Framework

cis-aks-t1.2.0

Severity

Medium

Description of the the issue

Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to local cloud resources. Azure Defender and other third party products allow images to be scanned for known vulnerabilities.

Related resources

What does this control test

Scan images being deployed to Azure (AKS) for vulnerabilities.

Vulnerability scanning for images stored in Azure Container Registry is generally available in Azure Security Center. This capability is powered by Qualys, a leading provider of information security.

When you push an image to Container Registry, Security Center automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file.

When the scan completes (after about 10 minutes), Security Center provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.

How to check it manually

Remediation

Impact Statement

When using an Azure container registry, you might occasionally encounter problems. For example, you might not be able to pull a container image because of an issue with Docker in your local environment. Or, a network issue might prevent you from connecting to the registry.

Default Value

Images are not scanned by Default.

Example

No example