In today’s digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections.
Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stage—from development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC).
Container software development lifecycle
The lifecycle of containers involves several stages, during which the container evolves through different software artifacts.
Figure 1: Container software supply chain- It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository.
- Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase
- When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase.
A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey.
Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments
Command line interface (CLI) tool for container image scanning at build phase, is now in public preview
Integrating security into every phase of your software development is crucial.
To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential.
This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal.
Key purpose of Microsoft Defender for Cloud CLI:
- Expanding container security to cover the development phase, code repository phase, and CI/CD phase:
o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal.
o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings.
o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage.
- Invoke scanning on-demand for specific container images.
- Integrate easily into existing DevSecOps processes and tools.
For more details watch the demo CLI demo
How it works
Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators.
Figure 3: API push tokens management
The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin.
For more details, setup guides, and use cases, please refer to official documentation.
Vulnerabilities assessment of container images in third party registries, now in public preview
Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments.
Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory.
These are popular 3rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain.
This integration offers key benefits:
- Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early.
- Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed.
- Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources.
- Actionable security recommendations: Provides recommendations based on best practices to improve container security.
Figure 4: Docker Hub & Jfrog Artifactory environments
Figure 5: Jfrog Artifactory container images in Security Explorer
To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory.
Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal
Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC.
To learn more please explore AKS Security Dashboard
Conclusion
Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC).
These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles.
Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.
Updated Mar 04, 2025
Version 1.0
Beatriss_Kovernaig
Microsoft
Microsoft
