Azure Defender is set to Off for container registries
Description
Azure Defender is a cloud workload protection service that utilizes and agent-based deployment to analyze signals from Azure network fabric and the service control plane, to detect threats across all Azure resources. It can also analyze non-Azure resources, utilizing Azure Arc, including those on-premises and in both AWS and GCP (once they've been onboarded).
Azure Defender for container registries includes a vulnerability scanner to scan the images in Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility image vulnerabilities.
Fix - Buildtime
Terraform
- Resource: azurerm_security_center_subscription_pricing
- Argument: resource_type - (Required) The resource type this setting affects. Ensure that
ContainerRegistry
is declared to pass this check.
resource "azurerm_security_center_subscription_pricing" "example" {
tier = "Standard"
resource_type = "AppServices,ContainerRegistry,KeyVaults,KubernetesService,SqlServers,SqlServerVirtualMachines,StorageAccounts,VirtualMachines,ARM,DNS"
}