Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Image Vulnerability Scanning

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that image vulnerability scanning is enabled for your Azure Kubernetes Service (AKS) clusters to help detect vulnerabilities in container images, ensure compliance with security standards, and protect your clusters from potential threats. Enabling Microsoft Defender for Cloud for containers (i.e., Microsoft Defender for Containers) adds a critical layer of security by proactively identifying vulnerabilities in the foundation of your containerized applications. This helps prevent attacks before they can occur.

Security

Enabling image vulnerability scanning for Azure Kubernetes Service (AKS) clusters helps proactively identify and address security vulnerabilities in your container images and language packages, reducing the risk of exploitation and protecting your applications. When you enable Microsoft Defender for Containers, it integrates security features across your containerized environments, including AKS clusters.

Audit

To determine if image vulnerability scanning is enabled for your Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to access.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 On the Defender plans page, in the Cloud Workload Protection (CWP) section, check the pricing plan status displayed in the Status column for the Containers plan. If Status is set to Off for Containers, Microsoft Defender for Containers is not enabled in the selected subscription. As a result, image vulnerability scanning is disabled for your Azure Kubernetes Service (AKS) clusters.

07 Repeat steps no. 4 – 6 for each subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing show command (Windows/macOS/Linux) with custom output filters to describe the Microsoft Defender for Containers plan within the selected subscription: 

az security pricing show
	--name Containers
	--query '{pricingTier:pricingTier}'

05 The command output should return the pricing tier for the Microsoft Defender for Containers plan: 

{
	"pricingTier": "Free"
}

If the "pricingTier" attribute value is set to "Free", as shown in the example above, Microsoft Defender for Containers is not enabled in the selected subscription. As a result, image vulnerability scanning is disabled for your Azure Kubernetes Service (AKS) clusters.

06 Repeat steps no. 4 - 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable image vulnerability scanning for your Microsoft Azure Kubernetes Service (AKS) clusters, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to access.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 On the Defender plans page, in the Cloud Workload Protection (CWP) section, select On in the Status column for the Containers plan to turn on Microsoft Defender for Containers in the selected subscription. This will automatically enable image vulnerability scanning for your Azure Kubernetes Service (AKS) clusters. Choose Save from the page top menu to apply the changes.

07 Repeat steps no. 4 – 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To enable Microsoft Defender for Containers in the selected Azure subscription, run security pricing create command (Windows/macOS/Linux) with the --name command parameter set to Containers. This will automatically enable image vulnerability scanning for your Azure Kubernetes Service (AKS) clusters: 

az security pricing create
	--name Containers
	--tier standard

05 The command output should return the configuration information available for the Defender for Containers plan: 

{
	"deprecated": null,
	"enablementTime": "2025-03-22T18:53:20.038437+00:00",
	"extensions": [
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "ContainerRegistriesVulnerabilityAssessments",
			"operationStatus": null
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "AgentlessDiscoveryForKubernetes",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": {
			"ExclusionTags": "[]"
			},
			"isEnabled": "True",
			"name": "AgentlessVmScanning",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "ContainerSensor",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "False",
			"name": "ContainerIntegrityContribution",
			"operationStatus": null
		}
	],
	"freeTrialRemainingTime": "0:00:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/Containers",
	"name": "Containers",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": null,
	"type": "Microsoft.Security/pricings"
}

06 Repeat steps no. 3 - 5 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Mar 25, 2024

Related AKS rules