Security Center can detect vulnerabilities in container images. This helps you detect container escapes and malicious images to ensures the security and reliability of container images. This topic describes how to check information about container image vulnerabilities and manage these vulnerabilities.

Check information about vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Container Image Vul Tab.
  4. On the Container Image Vul tab, you can view the information about vulnerabilities detected in container images. The name of a vulnerability typically starts with USN, RHSA, or CVE.
    • View vulnerability updatesVulnerability updates of container images
    • View the severity of vulnerabilities
      The severity of vulnerabilities is displayed in different colors. The severity number represents the priority in which a vulnerability is fixed.
      • Red represents High severity.
      • Orange represents Medium severity.
      • Gray represents Low severity.
      The severity of vulnerabilities detected in container images
      Note We recommend that you fix high severity vulnerabilities immediately.
    • Search for vulnerabilities

      On the Container Image Vul tab, you can also filter vulnerabilities by severity (high, medium, and low) or library. Alternatively, you can search for specific vulnerabilities by vulnerability name or CVE ID.

      Search for vulnerabilities
      Note Library and vulnerability names support fuzzy match.

View vulnerability details

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Container Image Vul Tab.
  4. In the vulnerability list, find the target vulnerability. You can click the Vulnerability Name, the number in the Affected Images column, or View in the Actions column to open the details page, which displays the details of the vulnerability.
    The details page displays the images exposed to the vulnerability, image address, image version, and vulnerability status.Details
  5. You can perform the following operations on this page.
    • View vulnerability details in the Alibaba Cloud vulnerability library
      You can click the CVE ID to go to the Alibaba Cloud vulnerability library.CVE ID

      This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solutions to fix the vulnerability.

    • View impact descriptions and commands to fix vulnerabilities
      On the details page, click Details to view the impact description and command to fix the vulnerability.Impact descriptions
      • Fix Command: Run this command to fix the vulnerability.
      • Impact description:
        • Software: The version of the image.
        • Cause: The reason why the image is exposed to this vulnerability. Typically, the reason is that the current version is outdated.
        • Path: The path of the image on the server.
        • Image Layer: The image layer on which the vulnerability is detected.
      • Caution: Important notes, prevention tips, and links to reference documents about this vulnerability.
      Note Security Center does not support quick fixes of container image vulnerabilities. You need to manually troubleshoot and fix container image vulnerabilities based on the impact description and suggested command. After a vulnerability is fixed, you need to click Scan Now on the Container Image Vul tab to update the status of the vulnerability.