Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. SQL vulnerability assessment helps you identify database vulnerabilities
In this articleApplies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security. Vulnerability assessment is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed via the central Microsoft Defender for SQL portal. Note Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse. What is SQL vulnerability assessment?SQL vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture. Vulnerability assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:
Configure vulnerability assessmentTake the following steps to configure the vulnerability assessment:
Note The scan is lightweight and safe. It takes a few seconds to run and is entirely read-only. It doesn't make any changes to your database. When a vulnerability scan completes, the report is displayed in the Azure portal. The report presents:
To remediate the vulnerabilities discovered:
Your vulnerability assessment scans can now be used to ensure that your database maintains a high level of security, and that your organizational policies are met. Advanced capabilitiesView scan historySelect Scan History in the vulnerability assessment pane to view a history of all scans previously run on this database. Select a particular scan in the list to view the detailed results of that scan. Disable specific findings from Microsoft Defender for Cloud (preview)If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise. When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios may include:
Important
To create a rule:
Manage vulnerability assessments programmaticallyUsing Resource Manager templatesTo configure vulnerability assessment baselines by using Azure Resource Manager templates, use the Ensure that you have enabled Here's an example for defining Baseline Rule VA2065 to
For
To handle Boolean types as true/false, set the baseline result with binary input like "1"/"0".
PermissionsOne of the following permissions is required to see vulnerability assessment results in the Microsoft Defender for Cloud recommendation SQL databases should have vulnerability findings resolved:
The following permissions are required to changes vulnerability assessment settings:
The following permissions are required to open links in email notifications about scan results or to view scan results at the resource-level:
Data residencySQL Vulnerability Assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL Vulnerability Assessment, and stores the query results. The data is stored in the configured user-owned storage account. SQL Vulnerability Assessment allows you to specify the region where your data will be stored by choosing the location of the storage account. The user is responsible for the security and data resiliency of the storage account. Next steps
FeedbackSubmit and view feedback for |