microsoft
Trivy findings higher than LOW don't appear in the Defender console
I've configured the microsoft/security-devops-action to scan my built image using Trivy, but even tough MEDIUM and HIGH vulnerabilities are shown in the output, they do not appear in my Microsoft Defender for Cloud console. Only the LOW findings are shown.
The discovery time corresponds to when I ran my workflow, so I know that the findings in the console are the ones found in my pipeline.
Here are the steps in my pipeline when I build, push and analyze my image:
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 #v3.11.1
- name: Azure Login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Workaround untile OIDC is supported by docker/login
# Référence : https://github.com/Azure/docker-login/issues/56
- name: 'Login to ACR (Azure Container Registry)'
run: |
az acr login --name ${{ vars.ACR_NAME }}
- name: Build the image and push it to ACR (Azure Container Registry)
id: build-and-push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
push: true
tags: ${{vars.ACR_HOST}}/${{ vars.ARTIFACT_NAME }}
- name: Scan and track the container image
uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 #v1.20.0
with:
tools: 'trivy'
env:
GDN_TRIVY_ACTION: image
GDN_TRIVY_TARGET: ${{vars.ACR_HOST}}/${{ vars.ARTIFACT_NAME }}
- name: Azure logout
if: ${{ always() }}
run : |
az logout
Here are some vulnerabilities trivy found:
2025-07-22T12:30:48.6828012Z [Error] 6. Trivy Error CVE-2025-48384 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6828853Z Signature: 953a044a1b7992a08716c33646da98883ad7a6d919f93825f5eb570f85cba75a
2025-07-22T12:30:48.6830063Z Tool: Trivy: Rule: CVE-2025-48384 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2025-48384
2025-07-22T12:30:48.6830826Z Package: git-man
2025-07-22T12:30:48.6831211Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6831655Z Vulnerability CVE-2025-48384
2025-07-22T12:30:48.6832039Z Severity: HIGH
2025-07-22T12:30:48.6832362Z Fixed Version:
2025-07-22T12:30:48.6832830Z Link: [CVE-2025-48384](https://avd.aquasec.com/nvd/cve-2025-48384)
2025-07-22T12:30:48.6833572Z [Error] 7. Trivy Error CVE-2025-48385 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6834704Z Signature: 9971b5d392353af82a6310ec1d4157db6597f799ba657fdeaf9a312935f85761
2025-07-22T12:30:48.6835743Z Tool: Trivy: Rule: CVE-2025-48385 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2025-48385
2025-07-22T12:30:48.6836531Z Package: git-man
2025-07-22T12:30:48.6836925Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6837387Z Vulnerability CVE-2025-48385
2025-07-22T12:30:48.6837795Z Severity: HIGH
2025-07-22T12:30:48.6838144Z Fixed Version:
2025-07-22T12:30:48.6851408Z [Warning] 10. Trivy Warning CVE-2025-48386 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6852298Z Signature: 738a3c73e7cec7659ecb6672b491a3150c32869572c6c98a4c052edb823473cd
2025-07-22T12:30:48.6853285Z Tool: Trivy: Rule: CVE-2025-48386 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2025-48386
2025-07-22T12:30:48.6854059Z Package: git-man
2025-07-22T12:30:48.6854441Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6854888Z Vulnerability CVE-2025-48386
2025-07-22T12:30:48.6855279Z Severity: MEDIUM
2025-07-22T12:30:48.6855618Z Fixed Version:
2025-07-22T12:30:48.6856084Z Link: [CVE-2025-48386](https://avd.aquasec.com/nvd/cve-2025-48386)
2025-07-22T12:30:48.6856836Z 11. Trivy Note CVE-2018-1000021 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6857684Z Signature: fc3bf2ea103d1b37163ecc201606286bd552bd5edbee1b673ed30d3fcb567ff6
2025-07-22T12:30:48.6858711Z Tool: Trivy: Rule: CVE-2018-1000021 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2018-1000021
2025-07-22T12:30:48.6859507Z Package: git-man
2025-07-22T12:30:48.6860061Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6860495Z Vulnerability CVE-2018-1000021
2025-07-22T12:30:48.6860887Z Severity: LOW
2025-07-22T12:30:48.6861225Z Fixed Version:
2025-07-22T12:30:48.6861743Z Link: [CVE-2018-1000021](https://avd.aquasec.com/nvd/cve-2018-1000021)
2025-07-22T12:30:48.6862491Z 12. Trivy Note CVE-2022-24975 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6863310Z Signature: ba19b0d6c749523de9848179c17eeeb583fc215e9afd1f45da7380714e472697
2025-07-22T12:30:48.6864323Z Tool: Trivy: Rule: CVE-2022-24975 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2022-24975
2025-07-22T12:30:48.6865124Z Package: git-man
2025-07-22T12:30:48.6865527Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6866006Z Vulnerability CVE-2022-24975
2025-07-22T12:30:48.6866398Z Severity: LOW
2025-07-22T12:30:48.6866982Z Fixed Version:
2025-07-22T12:30:48.7268784Z Link: [CVE-2005-2541](https://avd.aquasec.com/nvd/cve-2005-2541)
2025-07-22T12:30:48.7269550Z 79. Trivy Note TEMP-0290435-0B57B5 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.7270598Z Signature: c31997bda4cccd5413d842aa4082bf30eaf29139db3d5c1b8f2d542c44602de9
2025-07-22T12:30:48.7271749Z Tool: Trivy: Rule: TEMP-0290435-0B57B5 (OsPackageVulnerability). https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5
2025-07-22T12:30:48.7272677Z Package: tar
2025-07-22T12:30:48.7273054Z Installed Version: 1.34+dfsg-1.2+deb12u1
2025-07-22T12:30:48.7273536Z Vulnerability TEMP-0290435-0B57B5
2025-07-22T12:30:48.7273946Z Severity: LOW
2025-07-22T12:30:48.7274269Z Fixed Version:
2025-07-22T12:30:48.7274909Z Link: [TEMP-0290435-0B57B5](https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5)
2025-07-22T12:30:48.7275845Z 80. Trivy Note CVE-2022-0563 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.7276684Z Signature: d858f07cdb259ef225b40f410a4201930e98ed7477ec4f5ae950e95198a8a699
2025-07-22T12:30:48.7277681Z Tool: Trivy: Rule: CVE-2022-0563 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2022-0563
2025-07-22T12:30:48.7278457Z Package: util-linux-extra
2025-07-22T12:30:48.7278873Z Installed Version: 2.38.1-5+deb12u3
2025-07-22T12:30:48.7279301Z Vulnerability CVE-2022-0563
2025-07-22T12:30:48.7279870Z Severity: LOW
2025-07-22T12:30:48.7280333Z Fixed Version:
2025-07-22T12:30:48.7280809Z Link: [CVE-2022-0563](https://avd.aquasec.com/nvd/cve-2022-0563)
And here's the results in my defender console for my repository, in the "GitHub repositories should have code scanning findings resolved" section:
Only the LOW problems are beeing shown.
I also noticed that all the vulnerabilities that are shown are TEMP vulnerability, not CVE Here's a example of a vulnerabilty that is shown in the console:
5-07-22T12:30:48.7269550Z 79. Trivy Note TEMP-0290435-0B57B5 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.7270598Z Signature: c31997bda4cccd5413d842aa4082bf30eaf29139db3d5c1b8f2d542c44602de9
2025-07-22T12:30:48.7271749Z Tool: Trivy: Rule: TEMP-0290435-0B57B5 (OsPackageVulnerability). https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5
2025-07-22T12:30:48.7272677Z Package: tar
2025-07-22T12:30:48.7273054Z Installed Version: 1.34+dfsg-1.2+deb12u1
2025-07-22T12:30:48.7273536Z Vulnerability TEMP-0290435-0B57B5
2025-07-22T12:30:48.7273946Z Severity: LOW
2025-07-22T12:30:48.7274269Z Fixed Version:
2025-07-22T12:30:48.7274909Z Link: [TEMP-0290435-0B57B5](https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5)
Here's a example of a vulnerability that isn't shown:
2025-07-22T12:30:48.6851408Z [Warning] 10. Trivy Warning CVE-2025-48386 - File: ul-git-backup-job. Line: 1. Column 1.
2025-07-22T12:30:48.6852298Z Signature: 738a3c73e7cec7659ecb6672b491a3150c32869572c6c98a4c052edb823473cd
2025-07-22T12:30:48.6853285Z Tool: Trivy: Rule: CVE-2025-48386 (OsPackageVulnerability). https://avd.aquasec.com/nvd/cve-2025-48386
2025-07-22T12:30:48.6854059Z Package: git-man
2025-07-22T12:30:48.6854441Z Installed Version: 1:2.39.5-0+deb12u2
2025-07-22T12:30:48.6854888Z Vulnerability CVE-2025-48386
2025-07-22T12:30:48.6855279Z Severity: MEDIUM
2025-07-22T12:30:48.6855618Z Fixed Version:
2025-07-22T12:30:48.6856084Z Link: [CVE-2025-48386](https://avd.aquasec.com/nvd/cve-2025-48386)
Desired behavior
Any vulnerabilities, be it CVE or TEMP, and regardless of severity, should appear in the defender console after a scan.
Hello @alles60, Could you please verify if you can see the missing findings listed under 'GitHub repositories should have dependency vulnerability scanning findings resolved' section in Defender console?
In DevOps Security in defender, select the repository and under Resource Health search for that recommendation type.
The findings don't appear in that category either. I do have some findings regarding dependencies in that recommendation, but there's nothing that Trivy shown me. I can only see alerts regarding vulnerable packages.
Hello, Thank you for your patience while we investigated the issue.
We’ve confirmed that Trivy is currently configured to process only dependency findings. This means that code findings are not part of the current scope, which explains why they’re not appearing in the portal.
This behavior is expected based on the current setup, and no additional configuration is needed on your end. You can use the Code Quality tools that MSDO supports from the MSDO Docs https://github.com/microsoft/security-devops-action#tools
Please let us know if you have any further questions or if there’s anything else we can assist you with.
@alles60 I'm the product manager for this GH Action & our CLI. Can you send me an email at [email protected] so I can follow up with you directly?
Thanks! James
