ACR EE Enhanced Scan Engine Free for a limited time

Recently, high-risk vulnerabilities such as Spring vulnerabilities have occurred frequently. In order to help users better discover and reduce the security risks in the image and reduce the potential security risks in the production environment, during the period from 00:00 on April 1, 2022 to 24:00 on April 30, 2022, Alibaba Cloud Container Image Service Enterprise Edition (ACR EE) supports a free trial experience of the cloud security scanning engine, It supports 10000 scanning quotas for different image versions (differentiated by image Digest, the same Digest is not limited to scanning). If your current Enterprise instance is not enabled by default, you can apply for a work order. The scanning engine is provided by ACR EE in deep cooperation with cloud security. It fully supports scanning system vulnerabilities, application vulnerabilities, baseline checks, and malicious samples in the container image, and provides continuous risk detection and automatic repair capabilities.

Importance of container safety

With the continuous improvement of cloud access rate of enterprises, more and more enterprises choose to use container architecture in production environment. According to the report released by CNCF in 2020 [1], the proportion of enterprises applying containers in production increased from 84% last year to 92% in 2021. Gartner predicts that [2] 95% of enterprises will be based on cloud native platforms in 2025. According to iResearch's China Container Cloud Market Research Report, 84.7% [3] (43.9% have been used and 40.8% plan to use) of Chinese enterprises have used or plan to use containers in 2020. Similarly, the endogenous security of software development will become an important indicator to evaluate the maturity level of enterprise DevOps. Among the teams that have practiced DevOps, 48% [4] most value the security feature.

However, due to the agility, high density deployment and open reuse of container applications, users have great security concerns while enjoying cloud native dividends. Tripwire conducted a survey of 311 IT security professionals in 2019, and found that 60% of organizations have experienced container security accidents [5]. Whether Kubernetes cluster is invaded or Docker Hub is frequently exploded with images containing vulnerabilities and malicious programs, more and more enterprises have begun to pay attention to the best practices of container security.

Container Mirroring Service Enterprise Edition

The Container Image Service Enterprise Edition (ACR EE for short) is an enterprise-level cloud native application product management platform that provides secure hosting and efficient distribution of OCI products such as container image and Helm Chart. In the DevSecOps scenario, enterprise customers can use the ACR cloud native application delivery chain to achieve efficient and safe cloud native application delivery and accelerate the innovation iteration of enterprises. In the scenarios of global multi-regional cooperation, business going to sea and GoChina, corporate customers can use the global synchronization capability, and combine with the global unified domain name to achieve the nearest pull, so as to improve the efficiency of distribution, operation and maintenance. In large-scale distribution and AI large image training and reasoning scenarios, enterprises can use ACR P2P distribution or on-demand distribution capabilities to further improve the efficiency of deployment iterations. For specific information, see the product introduction

Introduction to Enhanced Scan Engine

The enhanced scanning engine is provided by ACR EE and the Cloud Security Center in deep cooperation. Compared with the current popular open source scanning engine version (Clair, etc.), the scanning capability provides more accurate vulnerability screening capability (all vulnerabilities are safely operated by professional teams to ensure effectiveness and significantly reduce the false alarm rate). At the same time, ACR EE provides the capability of batch scanning and automatic scanning, supports the scanning range of different granularity of namespace and warehouse, and can provide automatic and large-scale scanning support for different scene demands. In addition, ACR EE provides event notification capability and supports integration with the customer's existing DevOps process. At present, the scanning risk types supported by the scanning engine are as follows:

• System vulnerability: support vulnerability identification of common mainstream operating systems and one-click repair. For example, Linux kernel vulnerabilities, insecure system software packages, insecure Java SDK, etc.

• Application vulnerability: provides the image application vulnerability scanning function to scan the vulnerability on the container related middleware for you, and supports the detection of system service weak password, system service vulnerability, and application service vulnerability. For example, fastjson remote code execution vulnerability, Apache Log4j2 remote code execution vulnerability, Spring Framework remote code execution vulnerability, Apache Hadoop information disclosure vulnerability, Apache Tomcat information disclosure vulnerability, etc.

• Baseline check: provides the image security baseline check function, scans the baseline security risks existing in the container assets for you, supports the weak password, account permissions, identity authentication, password policy, access control, security audit, intrusion prevention and other security configurations of the operating system and services (databases, server software, containers, etc.), and provides the detection results, and gives reinforcement suggestions for the existing risk configurations. For example, access key disclosure, unauthorized access, service configuration, etc.

• Malicious samples: provide the detection capability of container malicious samples, show you the container security threats existing in the assets, help you find the location of the malicious samples, facilitate you to repair the malicious samples according to the location, and significantly reduce the security risk of using the container. For example, the discovery of web shell files, self-mutating trojans, backdoor programs, etc.

How to enable the enhanced scanning engine

1. On the Enterprise Edition instance management page, select Security and Trust>Image Scan, and click the switch button in the upper right corner to switch the scan engine to the cloud security scan engine. As shown in the figure below:

2. Create scanning rules on the image scanning page. Currently, automatic scanning of namespace and warehouse level scanning rules is supported. You can also choose to manually trigger the scan to identify the full risk of the stock image under the rule range. It is recommended that you configure the scan event notification to synchronize the scan results by stapling, HTTP or HTTPS after the image scan is completed.

3. After creating the scanning rule, click Scan Now to view the scanning task status and the final risk status.

4. Click to view the details and confirm the security risk of container image from multiple dimensions of system vulnerability, application vulnerability, baseline check and malicious sample. As shown in the figure below, we can see that the recent high-risk vulnerabilities such as Spring included in the image have been analyzed and identified.

5. The nailing robot configured at the same time also receives the corresponding notification alarm (also supports HTTP/HTTPS and other methods for notification)

Cloud native application delivery chain helps enterprises practice DevSecOps

ACR EE not only supports the in-depth risk identification and repair of container images, but also provides the ability of cloud native application delivery chain, and supports flexible security policies to ensure that products are delivered online more safely and efficiently. At the same time, all links in the cloud native application delivery chain can also be integrated and used by your CI/CD processes (such as Jenkins Pipeline, GitLab Runner, etc.).

1. Upgrade the enterprise version instance specification to the advanced version. On the instance overview page, click Cloud Native Delivery Chain>Delivery Chain, and then click Create Delivery Chain. In the security scan node, when a high-risk vulnerability occurs, block the subsequent delivery of the container image, and optionally delete the original risk image or backup.

2. Within the scope of the delivery chain, automatically push a container image with high risk, which will automatically trigger the security scan and execute the security policy to block the deployment of the risk image.

3. If there is a system vulnerability in the image, you can perform one-click repair after the delivery chain is blocked

• The delivery chain is blocked

• Check all risk items and click one button to repair

• Wait for the image repair to complete. After the default repair, the tag will be built to_ The new image at the end of fixed and re-trigger the delivery chain execution

• It can be observed that the repaired image has no previous vulnerabilities after security scanning, and the delivery chain has been successfully completed. At the same time, the risk status comparison between the original image and the repaired image can also be seen on the image version page