Edit

Vulnerability assessments for Docker Hub external registry with Microsoft Defender Vulnerability Management

Defender for Containers helps you assess container image vulnerabilities across the full image lifecycle, from code development to cloud deployment.

Comprehensive coverage includes container images from external registries. This feature supports Docker Hub, which is used by enterprises, small businesses, and open-source teams. If you use Docker Hub, Defender for Containers can provide inventory discovery, security posture evaluation, and vulnerability assessment. You get the same core security capabilities available for cloud-native registries such as Azure Container Registry (ACR), Amazon Elastic Container Registry (ECR), and Google Container Registry (GCR).

Key capabilities

Defender for Containers provides the following capabilities for Docker Hub organizations:

  • Inventory: Identify and list all available container images in the Docker Hub organization.

  • Vulnerability assessment: Regularly scan the Docker Hub organization account for supported container images, identify vulnerabilities, and provide recommendations for issues that need remediation.

Prerequisites

To use Microsoft Defender for Containers with your organizational Docker Hub accounts, you must own a Docker Hub organization account and have admin permission to manage users. For more information, see How to set up Docker Hub as an external registry

Enable Microsoft Defender for Containers or Defender CSPM for at least one subscription in Microsoft Defender for Cloud.

Onboard the Docker Hub environment

Users with Security admin privileges in Microsoft Defender for Cloud can add a new Docker Hub environment if they also have the required permissions on the Environment settings page.

Screenshot of Defender for Cloud environments panel.

Each environment maps to one Docker Hub organization. In the onboarding interface, select Docker Hub as the registry type when you add a new external registry environment.

Screenshot of the Add Environment button.

The environment wizard assists with the onboarding process:

  1. Connector Details

    Screenshot of the Docker Hub connector details panel.

    Connector name: Specify a unique connector name.

    Location: Specify the geographic location where Defender for Cloud stores the data associated with this connector.

    Subscription: The hosting subscription that defines the RBAC scope, and billing entity for the Docker Hub environment.

    Resource group: for RBAC purposes

    Note

    Only one subscription can be linked to a Docker Hub environment instance. However, container images from this instance can be deployed to multiple environments protected by Defender for Cloud, outside the boundaries of the associated subscription.

    Scanning intervals: Select an interval for scanning the container registry for vulnerabilities.

  2. Select Plans

    Multiple plans exist for these kinds of environments:

    Screenshot of the Docker Hub connector select plan panel.

    • Foundational CSPM: Basic plan available for all customers, provides inventory capabilities only.

    • Containers: Offers inventory and vulnerability assessment features.

    • Defender CSPM: Offers inventory and vulnerability assessment features, plus extra capabilities like attack path analysis and code-to-cloud mapping.

    For plan pricing details, see Microsoft Defender for Cloud pricing.

    Ensure your Docker Hub environment plans are in sync with your cloud environment plans and share the same subscription to maximize coverage.

  3. Configure Access

    To maintain a continuous and secure link between Defender for Cloud and your Docker Hub organization, use a dedicated user with an organization email address. Each Docker Hub connector maps to one Docker Hub organization. Onboard a separate Docker Hub environment connector in Defender for Cloud for each Docker Hub organization that you manage.

    Follow the steps in How to set up Docker Hub as an external registry to prepare your Docker Hub organization account for integration.

    Provide these parameters from your Docker Hub user to establish a connection.

    • Organization: Docker Hub organization name

    • User: Assigned Docker Hub username

    • Access token: Docker Hub user read-only access token

    Screenshot of the Docker Hub connector configure access panel.

  4. Review and generate

    Review all the configured connector details before onboarding finalization.

    Screenshot of the Docker Hub connector review and generate panel.

  5. Validate connectivity

    Verify the connection is successful and displays "Connected" on the environment's settings screen.

    Screenshot of the Docker Hub connector environment connected status in the Defender for Cloud environments panel.

  6. Validate feature capabilities

    Docker Hub initiates container registry scanning within one hour after onboarding:

    • Inventory – Make sure your Docker Hub connector and its security status appear in the Inventory view.

    • Vulnerability Assessment – Ensure you receive the recommendation "(Preview) Container images in Docker Hub registry should have vulnerability findings resolved" for addressing security issues in your Docker Hub container images.

  • Last updated on