Microsoft Defender for Containers is Azure's unified container security solution, combining what used to be three separate products: Defender for Container Registries, Defender for Kubernetes, and parts of Defender for Cloud's container security capabilities. The consolidation is welcome -- having one product is better than three. But the consolidated product has enough features and configuration options that most teams only use a fraction of what is available.
This guide covers how to configure Defender for Containers to provide genuine security value, not just a dashboard full of unactionable alerts.
What Defender for Containers Actually Covers
The product provides three core capabilities:
Vulnerability assessment for ACR. Scans container images in Azure Container Registry for known vulnerabilities in OS packages and application dependencies. Scanning happens on push and continuously as new vulnerabilities are disclosed.
Runtime threat protection for AKS. Monitors AKS clusters for suspicious behavior including anomalous API calls, privilege escalation attempts, cryptocurrency mining, and known attack patterns. Uses a DaemonSet-based sensor deployed to each node.
Hardening recommendations. Assesses your AKS cluster configuration and ACR setup against security best practices, providing recommendations to reduce your attack surface.
Enabling and Configuring
Defender for Containers is enabled at the subscription level in Defender for Cloud. But enabling it is not the same as configuring it properly.
Enable the Defender for Containers plan. In Defender for Cloud settings, enable the Containers plan. This activates all three capabilities. You can also enable them individually if you only need a subset.
Deploy the Defender sensor. For runtime protection, Defender needs a sensor (DaemonSet) running on your AKS nodes. The easiest approach is to enable the auto-provisioning option, which deploys and updates the sensor automatically. For clusters with strict change control, you can deploy the sensor manually using the provided Helm chart.
Configure the Azure Policy add-on. Defender uses Azure Policy to enforce security recommendations on AKS. Enable the Azure Policy add-on for your AKS clusters. This allows Defender to enforce policies like blocking privileged containers, requiring resource limits, and restricting image sources.
Enable Defender for CI/CD. Defender for Containers includes a CI/CD scanning capability that analyzes container images during your build pipeline. Install the Defender extension in your Azure DevOps organization or configure the GitHub Action to scan images before they reach ACR.
Vulnerability Assessment Deep Dive
Defender's vulnerability assessment is powered by Microsoft's vulnerability intelligence, which uses data from multiple sources including the National Vulnerability Database, security advisories from Linux distributions, and Microsoft's own research.
Scan coverage. Defender scans OS packages (Debian, Ubuntu, Alpine, RHEL, CentOS) and application dependencies for Node.js, Python, Java, Go, Ruby, PHP, and .NET. This is comprehensive enough for most workloads, but check whether your language runtime is covered if you use something uncommon.
Continuous re-scanning. After the initial push-time scan, Defender continuously monitors images for new vulnerabilities. When a new CVE is published, existing images are re-evaluated. This is critical -- an image that was clean last week might have critical vulnerabilities today.
Finding details. Each vulnerability finding includes the CVE ID, severity, affected package and version, fixed version (if available), and a description. Use the fixed version information to guide your remediation.
Limitations. Defender scans images pushed within the last 30 days by default. Older images in your registry may not be scanned. If you have long-lived images, ensure they are being rebuilt regularly to stay within the scanning window. Additionally, Defender does not scan images in private registries outside of ACR.
Runtime Protection Configuration
Runtime protection is where Defender for Containers provides the most unique value. It monitors your AKS clusters for active threats.
Security alerts. Defender generates alerts for specific threat patterns:
- Container running a cryptocurrency miner
- Privileged container creation
- Suspicious system call patterns
- Connection to known malicious IP addresses
- Kubernetes dashboard exposed externally
- Anomalous Kubernetes API access
Alert tuning. Some alerts may be too noisy for your environment. Use suppression rules in Defender for Cloud to suppress alerts that are consistently false positives. Document why each suppression exists and review them quarterly.
Threat response. When an alert fires, have a documented response procedure. For high-severity alerts like cryptocurrency mining or container escape attempts, the procedure should include isolating the affected pod, preserving evidence, investigating the root cause, and remediating the entry point.
Coverage verification. Verify that the Defender sensor is running on all AKS nodes, including new nodes added by the cluster autoscaler. Monitor the DaemonSet status in your cluster to ensure continuous coverage.
Hardening Recommendations
Defender provides configuration recommendations for your AKS clusters and ACR instances. These are based on the CIS Kubernetes Benchmark and Azure security best practices.
Priority recommendations for AKS:
- Enable Azure Policy add-on
- Use managed identities instead of service principals
- Enable Azure Active Directory integration
- Configure authorized IP ranges for the API server
- Use private clusters for production
- Enable Kubernetes RBAC
- Configure network policies
Priority recommendations for ACR:
- Disable the admin account
- Enable private endpoints
- Configure content trust
- Enable retention policies
- Use customer-managed encryption keys (Premium SKU)
Tracking recommendation status. Defender for Cloud's Secure Score incorporates these recommendations. Track your Secure Score over time to measure improvement. Focus on recommendations that affect your production environments first.
Multi-Cluster Strategy
Organizations with multiple AKS clusters need a consistent Defender deployment strategy.
Use Azure Policy to enforce Defender deployment. Create a policy assignment that ensures the Defender sensor is deployed on all AKS clusters. This prevents coverage gaps when new clusters are created.
Aggregate findings in Defender for Cloud. All Defender for Containers findings -- vulnerability assessments, runtime alerts, and recommendations -- appear in the Defender for Cloud dashboard. Use the centralized view for cross-cluster visibility.
Configure email notifications. Set up email notifications for high and critical alerts. Route them to the team that manages each cluster. A critical alert on a production cluster should reach the on-call engineer within minutes.
Integration With Azure DevOps
Defender for Containers integrates with Azure DevOps to shift security left.
Pipeline scanning. Use the Microsoft Security DevOps task in your Azure DevOps pipelines to scan container images during build. The task runs Trivy under the hood and reports findings as pipeline annotations.
Quality gates. Configure the pipeline to fail if critical vulnerabilities are found in the image. This prevents vulnerable images from reaching ACR in the first place.
Finding decoration. Scanning results appear as annotations on your pull requests, making security findings visible during code review.
Cost Considerations
Defender for Containers charges based on the number of vCores in your AKS clusters (for runtime protection) and the number of images scanned (for vulnerability assessment).
Right-size your deployment. If you have development clusters that do not need runtime protection, you can exclude them from the Defender plan to reduce costs. But vulnerability scanning for development images is still valuable for catching issues early.
Monitor costs in Cost Management. Track Defender for Containers costs in Azure Cost Management. If costs spike unexpectedly, check for cluster autoscaling events that added more nodes than anticipated.
How Safeguard.sh Helps
Safeguard.sh complements Microsoft Defender for Containers by providing deeper supply chain analysis and cross-platform visibility. While Defender focuses on Azure-native container security, Safeguard.sh tracks the complete software supply chain -- dependencies, build provenance, SBOMs, and license compliance -- across all your environments, not just Azure.
The platform integrates with Defender findings and adds context that Defender does not provide: which vulnerable packages are actually reachable in your running containers, how the vulnerability relates to your organization's specific risk profile, and what the remediation priority should be given your full infrastructure context. This turns Defender's findings into prioritized action items instead of an undifferentiated list of CVEs.