Merge pull request #215547 from bmansheim/va-ecr-post-ignite

Improve docs for VA for ECR #1989187

Author: BCS2022

articles/defender-for-cloud/defender-for-cloud-introduction.md

@@ -102,7 +102,8 @@ Review the findings from these vulnerability scanners and respond to them all fr
 Learn more on the following pages:
 
 - [Defender for Cloud's integrated Qualys scanner for Azure and hybrid machines](deploy-vulnerability-assessment-vm.md)
-- [Identify vulnerabilities in images in Azure container registries](defender-for-containers-va-acr.md#identify-vulnerabilities-in-images-in-other-container-registries)
+- [Identify vulnerabilities in images in Azure container registries](defender-for-containers-va-acr.md)
+- [Identify vulnerabilities in images in AWS Elastic Container Registry](defender-for-containers-va-ecr.md)
 
 ## Enforce your security policy from the top down
 

articles/defender-for-cloud/defender-for-containers-va-acr.md

@@ -3,14 +3,14 @@ title: Identify vulnerabilities in Azure Container Registry with Microsoft Defen
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: bmansheim
 ms.author: benmansheim
-ms.date: 09/11/2022
+ms.date: 10/24/2022
 ms.topic: how-to
 ms.custom: ignite-2022
 ---
 
 # Use Defender for Containers to scan your Azure Container Registry images for vulnerabilities
 
-This page explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.
+This article explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.
 
 To enable scanning of vulnerabilities in containers, you have to [enable Defender for Containers](defender-for-containers-enable.md). When the scanner, powered by Qualys, reports vulnerabilities, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
 
@@ -30,43 +30,28 @@ The triggers for an image scan are:
 
   - (Preview) Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of  the above mode when the Defender profile, or extension is running on the cluster.
 
-    > [!NOTE] 
-    > **Windows containers**: There is no Defender agent for Windows containers, the Defender agent is deployed to a Linux node running in the cluster, to retrieve the running container inventory for your Windows nodes.
-    >
-    > Images that aren't pulled from ACR for deployment in AKS won't be checked and will appear under the **Not applicable** tab.
-    >
-    > Images that have been deleted from their ACR registry, but are still running, won't be reported on only 30 days after their last scan occurred in ACR.
+When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.
 
-This scan typically completes within 2 minutes, but it might take up to 40 minutes.
+Also, check out the ability scan container images for vulnerabilities as the images are built in your CI/CD GitHub workflows. Learn more in [Defender for DevOps](defender-for-devops-introduction.md).
 
-Also, check out the ability scan container images for vulnerabilities as the images are built in your CI/CD GitHub workflows. Learn more in [Identify vulnerable container images in your CI/CD workflows](defender-for-containers-cicd.md).
+## Prerequisites
 
-## Identify vulnerabilities in images in Azure container registries
+Before you can scan your ACR images:
 
-To enable vulnerability scans of images stored in your Azure Resource Manager-based Azure Container Registry:
-
-1. [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.
+- [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.
 
     >[!NOTE]
     > This feature is charged per image.
 
-    When a scan is triggered, findings are available as Defender for Cloud recommendations from 2 minutes up to 15 minutes after the scan is complete.
-
-1. [View and remediate findings as explained below](#view-and-remediate-findings).
-
-## Identify vulnerabilities in images in other container registries
-
-If you want to find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.
+- If you want to find vulnerabilities in images stored in other container registries, you can import the images into ACR and scan them.
 
-You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-va-ecr.md) directly from the Azure portal.
-
-1. Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.
+    Use the ACR tools to bring images to your registry from Docker Hub or Microsoft Container Registry. When the import completes, the imported images are scanned by the built-in vulnerability assessment solution.
 
     Learn more in [Import container images to a container registry](../container-registry/container-registry-import-images.md)
 
-    When the scan completes (typically after approximately 2 minutes, but can be up to 15 minutes), findings are available as Defender for Cloud recommendations.
+    You can also [scan images in Amazon AWS Elastic Container Registry](defender-for-containers-va-ecr.md) directly from the Azure portal.
 
-1. [View and remediate findings as explained below](#view-and-remediate-findings).
+For a list of the types of images and container registries supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=azure-aks#registries-and-images).
 
 ## View and remediate findings
 
@@ -173,10 +158,6 @@ Defender for Cloud filters and classifies findings from the scanner. When an ima
 
 Yes. The results are under [Sub-Assessments REST API](/rest/api/defenderforcloud/sub-assessments/list). Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.
 
-### What registry types are scanned? What types are billed?
-
-For a list of the types of container registries supported by Microsoft Defender for container registries, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md#additional-information). Defender for Containers doesn't scan unsupported registries that you connect to your Azure subscription.
-
 ### Why is Defender for Cloud alerting me to vulnerabilities about an image that isn’t in my registry?
 
 Some images may reuse tags from an image that was already scanned. For example, you may reassign the tag “Latest” every time you add an image to a digest. In such cases, the ‘old’ image does still exist in the registry and may still be pulled by its digest. If the image has security findings and is pulled, it will expose security vulnerabilities.

articles/defender-for-cloud/defender-for-containers-va-ecr.md

@@ -12,9 +12,11 @@ ms.custom: ignite-2022
 
 Defender for Containers lets you scan the container images stored in your Amazon AWS Elastic Container Registry (ECR) as part of the protections provided within Microsoft Defender for Cloud.
 
-To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities. Defender for Containers creates resources in your AWS account, such as an ECS cluster in a dedicated VPC, internet gateway and an S3 bucket, so that images stay within your account for privacy and intellectual property protection. Resources are created in two AWS regions: us-east-1 and eu-central-1.
+To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities.
 
-Defender for Cloud filters and classifies findings from the scanner. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.
+Defender for Containers creates resources in your AWS account to build an inventory of the software in your images. The scan then sends only the software inventory to Defender for Cloud. This architecture protects your information privacy and intellectual property, and also keeps the outbound network traffic to a minimum. Defender for Containers creates an ECS cluster in a dedicated VPC, an internet gateway, and an S3 bucket  in the us-east-1 and eu-central-1 regions to build the software inventory.
+
+Defender for Cloud filters and classifies findings from the software inventory that the scanner creates. Images without vulnerabilities are marked as healthy and Defender for Cloud doesn't send notifications about healthy images to keep you from getting unwanted informational alerts.
 
 The triggers for an image scan are:
 
@@ -27,11 +29,9 @@ The triggers for an image scan are:
 Before you can scan your ECR images:
 
 - [Connect your AWS account to Defender for Cloud and enable Defender for Containers](quickstart-onboard-aws.md)
-- You must have at least one free VPC in us-east-1 and eu-central-1.
+- You must have at least one free VPC in the `us-east-1` and `eu-central-1` regions to host the AWS resources that build the software inventory.
 
-> [!NOTE]
-> - Images that have at least one layer over 2GB are not scanned.
-> - Public repositories and manifest lists are not supported.
+For a list of the types of images not supported by Microsoft Defender for Containers, see [Availability](supported-machines-endpoint-solutions-clouds-containers.md?tabs=aws-eks#images).
 
 ## Enable vulnerability assessment
 
@@ -50,7 +50,7 @@ To enable vulnerability assessment:
 
     :::image type="content" source="media/defender-for-containers-va-ecr/aws-containers-enable-va.png" alt-text="Screenshot of the toggle to turn on vulnerability assessment for ECR images.":::
 
-1. Select **Next: Configure access**.
+1. Select **Save** > **Next: Configure access**.
 
 1. Download the CloudFormation template.