Evaluates whether image scanning is enabled in Security Center (SAS) and no unfixed image vulnerabilities exist. If both conditions are met, the resource is evaluated as Compliant.
Scenarios
Use this rule to ensure image vulnerabilities are fixed promptly and improve overall system security.
Risk level
Default risk level: medium.
You can change the risk level when you configure this rule.
Compliance evaluation logic
- If image scanning is enabled in SAS and no unfixed image vulnerabilities exist, the resource is evaluated as Compliant.
- If image scanning is disabled in SAS, the resource is evaluated as Incompliant. If image scanning is enabled but unfixed vulnerabilities exist, the resource is also evaluated as Non-compliant. For more information about how to remediate a non-compliant configuration, see Incompliance remediation.
- This rule does not apply when image scanning is disabled or no vulnerability information is available because no scan has been performed.
Rule details
| Item | Description |
| Rule name | security-center-image-vul-check |
| Rule identifier | security-center-image-vul-check |
| Tag | SecurityCenter |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | All resources |
| Input parameter | None |
Incompliance remediation
Enable the image scan feature in SAS and fix all image vulnerabilities. For more information, see Container image scan.