Container Registry can scan all Linux-based container images for known vulnerabilities. Container Registry provides you with vulnerability evaluation information and related fix suggestions.

Background information

In a cloud-native delivery chain, Container Registry can automatically scan images that are pushed to the specified image repository. If you set the block rule for a delivery chain, Container Registry identifies the security risks of images and blocks high-risk images. Only images that do not reach the specified limits in the block rule can be distributed and deployed in the subsequent steps of the delivery chain. This ensures the secure delivery and efficient deployment of containerized applications. You can also integrate the API for security scanning to perform regular secure scans on images.

The time that is taken to scan an image varies with the image size. Generally, it takes fewer than 3 minutes to scan an image.

Procedure

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, click the required Container Registry Enterprise Edition instance.
  5. In the left-side navigation pane, click Tags. Find the image that you want to scan and click Security Scan in the Actions column.
  6. On the Security Scan page, click Trigger Scan.

Result

After the security scan is complete, you can view the details of the vulnerabilities that are detected.

Container Registry categorizes vulnerabilities by four severity levels: High, Medium, Low, and Unknown and provides summary information about all vulnerabilities that are detected. In addition, Container Registry displays the details of each vulnerability, including the version in which the vulnerability has been fixed.