Bridging the Gap Between Code and Cloud with Defender for Cloud

While containers have revolutionized modern software development, the complexity of dependencies in containerized environments and the expanded attack surface they present are still significant hurdles for security professionals. The initial step in securing these environments involves identifying vulnerabilities within container images. Yet, the most time-consuming task can often be identifying the right development team to address these vulnerabilities, particularly the mission-critical ones.

Microsoft for Cloud addresses this critical need with its container mapping feature. This blog post explores how for Cloud streamlines the process of tracing vulnerabilities in container images back to their origins in CI/CD pipelines, specifically within Azure DevOps and GitHub environments. This functionality is key to facilitating effective developer remediation workflows, thereby enhancing the security posture of cloud-native applications.

Microsoft for Cloud's container mapping feature offers a holistic view of the container landscape, linking container images in registries or Kubernetes clusters back to their source in the CI/CD pipelines. This feature is crucial for several reasons, including quick identification of vulnerability origins, streamlined collaboration between developers and security teams, and continuous visibility of the software development lifecycle.

Quick Identification of Vulnerability Origins

Defender for Cloud bridges the gap between cloud deployments and code. It enables security teams to pinpoint critical vulnerabilities in active , directly associating them with the CI/CD pipeline that built the container image. This connection facilitates rapid identification of the source of risks, diminishing the time to remediation and reducing the potential attack surface. The cloud-to-code feature of Defender for Cloud provides direct metadata from the CI/CD pipeline, creating a direct link between issues in the cloud and their source code. This level of traceability is crucial for comprehending how vulnerabilities are introduced.

Enhanced Security Response

Defender for Cloud provides contextual visibility into Kubernetes assets and security posture that empowers security teams to prioritize remediation based on actual risk through agentless discovery for Kubernetes. This lets security teams prioritize vulnerabilities in running containers based on factors such as whether the container is privileged or running on a pod that is exposed to the internet. After cutting through the noise to focus on the vulnerable containers with the highest business impact, security teams can then find the precise origin of a vulnerability to accelerate the remediation process. With agentless container posture and container mapping in Defender CSPM, security teams can more seamlessly communicate with the relevant development teams to initiate the patching process.

Continuous Visibility into the Software Development Lifecycle

With container mapping, security teams gain comprehensive visibility across the entire lifecycle of container images, from their creation to deployment. This continuous oversight allows organizations to make data-driven decisions to enhance their security strategies. The capability ensures that cloud-native applications are traced from code to cloud and safeguarded throughout their lifecycle.

To leverage the container mapping feature, it is necessary to ensure that the prerequisites are met for Azure DevOps and GitHub. After configuring this feature, you can use the Cloud Security Explorer to receive immediate benefits.

The Cloud Security Explorer in Defender for Cloud offers a built-in template to find “Container images running in production pushed by repositories with high severity vulnerabilities”. This allows you to quickly view the code origin of all running containers with vulnerabilities.

Figure 1. Cloud Security Explorer Template for Container MappingFigure 1. Cloud Security Explorer Template for Container Mapping

Selecting the template will populate the query for you so you can quickly get results of the vulnerable containers that were pushed by code repositories.

Figure 2. Cloud Security Explorer QueryFigure 2. Cloud Security Explorer Query

You can select any result to get the DevOps pipeline details that were responsible for building and pushing the specific container image.

Figure 3. Container Mapping Results in Cloud Security ExplorerFigure 3. Container Mapping Results in Cloud Security Explorer

Additionally, you can continue to modify this query to prioritize the most severe risks. For example, you can search for vulnerable container images running on internet exposed pods or privileged containers.

Figure 4. Cloud Security Explorer Query for Internet Exposed PodsFigure 4. Cloud Security Explorer Query for Internet Exposed

The integration of container mapping in Microsoft Defender for Cloud is a significant improvement in the management of cloud native applications. It addresses a critical need in container security: the ability to identify the origin of vulnerabilities quickly and accurately. This capability accelerates the remediation process and enhances the overall security posture of an organization by providing clear visibility into the container lifecycle and fostering collaboration between development and security teams.

Code to Cloud mapping doesn't stop with containers, Defender for Cloud also provides mapping for Infrastructure-as-Code. Click here to learn more about Infrastructure-as-Code mapping.

Microsoft Defender for Cloud DevOps security – the benefits and features – Microsoft Defender for Cl…

Map container images from code to cloud – Microsoft Defender for Cloud | Microsoft Learn

Map IaC templates from code to cloud – Microsoft Defender for Cloud | Microsoft Learn

Reviewed by:

  • Karen Dahmen, Principal PM Manager 
  • Sindhu Nagesh, Senior Engineering Manager


This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.