Continer Registry allows you to perform security scan on all Linux-based images. Discover any known vulnerabilities in packages or other dependencies defined in the container image file. You can receive vulnerability assessments and recommendations, including specific remediation guidance.

Continer Registry provides three methods for scanning. You can manually scan container images by one click, or you can configure cloud-native delivery chain to automatically scan images when you push them to a repository. Besides, by leveraging ACR's image scan OpenAPI with OOS's scheduled tasks or FC's Time Trigger, you can set up automate periodic scan of your container images with ease.

With the cloud-native delivery chain, Container Registry can automatically scan the new container images after pushing. If the image meets conditions defined in the chain blocking policy, the system will automatically block the risky image to deploy. Otherwise, the system proceeds with follow-up steps. The chain with image security policy guarantees that images are safe enough to distribute.

Manually scan

  1. Log on to the Container Registry console.
  2. Select the region.
  3. Click Manage at the right of an image repository to enter the repository details page.
  4. Click Image Versions in the left-side navigation pane. Click Security Scan at the right of the image version.
  5. Click Trigger Scan to manually scan container images by one click.

Automatically scan

  1. Configure the basic information of chain.
  2. Configure image security scanning and node blocking rule.
  3. ACR will automatically scan new images when they're uploaded.
  4. ACR will automatically lock down risky images follow the related block strategy of the cloud-native delivery chain.

Periodically scan

  1. Configure the OOS's scheduled tasks and ACR's image scan OpenAPI.
  2. ACR will periodically scan of your container images.

Result

After an image security scan is completed, a vulnerability report is generated as follows. Vulnerability information is categorized into four levels: High, Medium, Low, and Unknown. Additionally, it gives vulnerability details and the corresponding guidance for how to remediate the specific vulnerabilities found on each image pushed to registry.

Currently, All Linux-based images are supported. The images wiith following base OS are tested.

  • Ubuntu Linux: 12.04 or later
  • RedHat Enterprise Linux: 5, 6, and 7
  • CentOS Linux: 5, 6, and 7
  • Oracle Linux: 5, 6, and 7
  • Debian Linux: 7, 8, 9, and 10
  • Alpine Linux: 3.3 or later