I am currently working on a POC for checking vulnerabilities in existing container images stored in azure container registries (Microsoft Defender for Cloud enabled). While the integrated azure "Microsoft Defender Vulnerability Management"-solution finds only 41, trivy identifies 224 vulnerabilities for the exact same image. For basically every image in my ACR, there is a huge difference in findings between both scan solutions. There a some overlaps in terms of CVEs found with the same severity, but it seems like, that trivy is just scanning much more CVEs and has more databases available.
I couldn't find out, if both scans are using different CVE-database sources. Does anybody know or has resources to dive a little bit deeper?