Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

The end of patching era for containers: Microsoft Defender for Cloud expands hardened image support

Yulia_Zhurbinsky's avatar
Jun 02, 2026

Container security is moving from reactive patching to proactive risk reduction earlier in the lifecycle. In this blog, we share how Microsoft Defender for Cloud expands support for hardened container images - helping security teams reduce inherited vulnerabilities while maintaining consistent, centralized visibility across container image ecosystems.

Why hardened images are becoming the new baseline for container image security 

Container security is evolving beyond vulnerability scanning alone. Across the ecosystem - spanning container platforms, registries, and software supply chain tooling - customers are increasingly adopting hardened container images - images that are minimal by design, transparent in composition, and continuously maintained to reduce inherited risk at the base layer. 

This shift is happening against a backdrop of increasingly fast-moving attacks. AI-assisted techniques - such as those demonstrated by Mythos-class tooling - continue to compress the time between vulnerability discovery and exploitation. In this environment, reducing exposure to exploitable vulnerabilities and attack surfaces in container images before deployment is becoming just as critical as detecting vulnerabilities after the fact. 

Traditional container images are optimized for flexibility and reuse, not for security - meaning they are not designed to minimize included components, reduce attack surface, or limit inherited vulnerabilities by default. As a result, many base images include large package sets and transitive dependencies that significantly increase attack surface and vulnerability noise. 

Hardened images take a different approach: 

  • Minimal by construction, including only what’s required to run the workload 
  • Reduced attack surface, limiting exploitable components 
  • Strong transparency, with SBOMs and provenance metadata 
  • Continuous maintenance, so vulnerabilities are addressed through rebuilding rather than downstream patching 

For customers, this represents a shift from reactive CVE triage to preventative risk reduction at the image layer. 

In practice, this changes how container image risk is managed - from prioritizing and patching vulnerabilities in place to replacing images with updated, rebuilt versions, making remediation more predictable and easier to scale across environments. 

As hardened images become more widely adopted, organizations still need to continuously assess these images for vulnerabilities and compliance, since minimal or frequently rebuilt images can still introduce new risks over time or differ from expected configurations - making continuous image scanning and monitoring essential. 

Microsoft Defender for Cloud’s approach: support choice, centralize visibility 

Today, Microsoft Defender for Cloud already supports vulnerability assessment for hardened image providers such as Chainguard, alongside traditional Linux distributions. We recently expanded this coverage further with additional hardened image types, giving customers more flexibility to adopt secure-by-default images while continuing to scan these images and manage findings in a centralized Microsoft Defender for Cloud experience. 

Microsoft Defender for Cloud does not prescribe a single hardened image solution. Instead, it focuses on enabling customer choice while providing consistent, centralized vulnerability assessment and posture management. 

This capability builds on the container vulnerability assessment foundation powered by Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management (MDVM), bringing together high-fidelity vulnerability insights across the container lifecycle with support for modern, hardened image models. 

From now on, Microsoft Defender for Cloud’s vulnerability assessment supports hardened image ecosystems including: 

  • Chainguard images, rebuilt from source and designed to minimize inherited vulnerabilities 
  • Minimus images, which are minimal and continuously rebuilt to ship with zero known CVEs at publish time 
  • Docker Hardened Images (DHI), secure, minimal, production-ready base images maintained by Docker (recently added)
  • Photon OS-based images and other minimal operating system distributions 

Across all of these, Microsoft Defender for Cloud’s experience remains consistent: 

  • Images are scanned through the existing container vulnerability assessment pipeline 
  • Findings surface in the same Azure and Defender portals 
  • Policy evaluation, alerting, and compliance reporting stay centralized 

Security teams do not need to onboard new scanners, manage separate dashboards, or maintain parallel remediation workflows. Hardened image adoption fits directly into existing Microsoft Defender for Cloud posture management. 

What this means for customers 

As hardened image adoption accelerates, Microsoft Defender for Cloud enables customers to adopt securebydefault foundations without fragmenting their security posture. 

The benefits are tangible: 

  • Reduced vulnerability noise from inherited baseimage packages 
  • Earlier risk reduction at the image layer 
  • Consistent vulnerability assessment across hardened image providers 
  • Centralized security posture, compliance, and reporting 

Whether customers choose Chainguard, Minimus, Docker Hardened Images, Photon OS–based images, or a combination, Microsoft Defender for Cloud provides a single control plane for understanding and managing container image risk - without forcing a change in operational model. 

How this works across hardened image providers 

Microsoft Defender for Cloud supports multiple hardened image providers, enabling organizations to adopt securebydefault container images while maintaining a consistent approach to vulnerability assessment and posture management. 

While each provider takes a different approach to minimizing risk at the image layer, Microsoft Defender for Cloud ensures that all images are scanned through the same vulnerability assessment pipeline, with findings surfaced centrally for security teams to monitor, prioritize, and remediate. 

Examples: 

Minimus 

Minimal, continuously rebuilt container images designed to ship with zero known CVEs at publish time. Microsoft Defender for Cloud enables native scanning of Minimus images stored in Azure Container Registry, allowing security teams to assess vulnerabilities and maintain centralized visibility without introducing new workflows. 

Docker Hardened Images (DHI) 

Productionready, minimal base images designed as dropin replacements for standard container images. By supporting DHI, Microsoft Defender for Cloud allows customers to adopt these hardened images while continuing to rely on the same vulnerability scanning, governance, and reporting capabilities. 

Looking ahead 

Hardened images are no longer niche - they are becoming a foundational element of modern container security. As attacker automation and AIassisted attack techniques continue to shorten response windows, reducing exposure at build and image layers becomes increasingly important. 

Microsoft Defender for Cloud will continue expanding support for hardened and minimal image ecosystems, ensuring customers can evolve their image strategies without sacrificing visibility, control, or operational simplicity. 

Security should start with what you build on - not with what you fix later.

Learn more: Scanning support for Docker Hardened container images

Updated Jun 02, 2026
Version 1.0