All Products
Search
Document Center

Container Registry:Scan container images

Last Updated:Feb 07, 2024

If you want to identify and fix all known vulnerabilities in an container image, you can scan the image.

Background information

In a cloud-native delivery chain, Container Registry can automatically scan images that are pushed to the specified image repository. If you set a security policy for a delivery chain, Container Registry can identify the security risks of images and block high-risk images. Only images that are allowed by the security policy are distributed and deployed. The delivery chain ensures the secure delivery and efficient deployment of containerized applications. You can also integrate the API operations for image scans into your system to schedule image scans. If you do not use a delivery chain, you can create a scan rule on the Image Scan page. Then, Container Registry automatically scans images that are pushed to the specified image repository. For more information, see Create a scan rule.

The time that is required to scan an image varies based on the image size. Typically, 3 minutes are required to scan an image.

Limits

Trivy scan engine: Due to the limits of Trivy scan engines, we recommend that you set the size of a single layer of an image to no more than 3 GB. Otherwise, the scan may fail. If you want to scan an image layer of larger than 3 GB, we recommend that you use a Security Center scan engine to scan the image.

Scan a single image

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Repository > Repositories.

  6. On the Repositories page, find the repository that you want to manage and click Manage in the Actions column.

  7. In the left-side navigation pane, click Tags. Find the image tag that you want to scan and click Security Scan in the Actions column.

  8. On the Security Scan page, click Scan.

    After the image is scanned, you can view the scan results including the details of detected vulnerabilities on the Security Scan page. For more information about vulnerability scan results, see Image scan results.

Scan a group of images at a time

You can use a Trivy scan engine or a Security Center scan engine to scan a group of images at a time.

  • Trivy scan engine: an open source scan engine that can detect system and application vulnerabilities. Trivy scan engines do not allow you to fix system vulnerabilities in a few clicks.

  • Security Center scan engine: a scan engine developed by Alibaba Cloud. The engine can detect system and application vulnerabilities, baseline risks, and malicious samples. Security Center scan engines allow you to fix system vulnerabilities in a few clicks.

    • System vulnerabilities: You can use a Security Center scan engine to scan system vulnerabilities in container images and fix the system vulnerabilities in a few clicks. This ensures secure and reliable container images.

    • Application vulnerabilities: You can use a Security Center scan engine to scan application vulnerabilities in container images and middleware, and locate and fix the application vulnerabilities. This ensures a secure image runtime environment.

    • Baseline risks: You can use a Security Center scan engine to scan baseline risks in container images, and then locate and fix the risks.

    • Malicious samples: You can use a Security Center scan engine to detect malicious samples in containers, evaluate security risks, and then locate and remove the security threats. This way, you can have secure containers.

  1. Configure a virtual private cloud (VPC) for your Container Registry Enterprise Edition instance. For more information, see Configure a VPC ACL.

    Before Container Registry scans a group of images at a time for your Container Registry Enterprise Edition instance, you must configure a VPC for your instance.

    The first time you use Security Center scan engines, you need to access Security Center. You are prompted to create an AliyunServiceRoleForSas service-linked role.

    Note

    If you have configured a VPC for your Container Registry Enterprise Edition instance, skip this step.

  2. Log on to the Container Registry console.

  3. In the top navigation bar, select a region.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Security and Trust > Image Scanning.

  6. Select a scan engine.

    • If you want to use a Trivy Scan Engine, take note of the following items:

      • If you have not purchased a Security Center scan engine, Trivy Scan Engine is automatically displayed in the upper-right corner of the Image Scanning page.

      • If you have purchased the image scanning service provided by Security Center, Security Center Scan Engine is automatically displayed in the upper-right corner of the Image Scanning page. Choose Switch > Trivy Scan Engine to the right of Security Center Scan Engine, and then click OK in the Tips message.

    • If you want to use a Security Center scan engine, take note of the following items:

      If you have purchased a Security Center scan engine, the Security Center scan engine is automatically displayed on the Image Scanning page. You do not need to perform other operations. If you have not purchased a Security Center scan engine, you must perform the following operations:

      1. Grant Security Center the permissions to call API operations provided by Container Registry.

        1. Click here to go to the Cloud Resource Access Authorization page.

        2. On the Cloud Resource Access Authorization page, click Agree to Authorization.

      2. In the Scan Information section of the Image Scanning page, click Upgrade Security Center Scan Engine Now.

      3. Set the Security Scan parameter to Security Center Scan Engine, select Container Registry Terms of Service, set other parameters based on your requirements, click Buy Now, and then pay for the order.

        Return to the Image Scanning page. In the upper-right corner of the page, Security Center Scan Engine is automatically displayed.

        Note

        If you want to enable the image replication feature after you purchase the Security Center scan engine, click Settings in the Scan Information section on the Image Scanning page, select Sync in the Tips dialog box, and then click OK. After you enable the image replication feature, Container Registry automatically sends notifications to Security Center in the events that instances are deleted, images are pushed or pulled, and image repositories are deleted.

  7. Create a scan rule.

    1. In the Scan Rules section of the Image Scanning page, click Create Rule.

    2. In the Scan Rules step of the Create Rule wizard, enter a value for the Rule Name parameter, set Scope, and then click Next.

      You can configure the engine to scan images by namespace or repository:

      • Scan by namespace: Set the Scope parameter to namespace and enter a regular rule for image tag filter.

      • Scan by repository: Set the Scope parameter to Repository. Select a namespace from the Namespace drop-down list and a repository from the Repository drop-down list, and enter a regular rule for image tag filter.

    3. Optional: In the Event Notification step, configure a notification method.

      You can select DingTalk, HTTP, or HTTPS as the notification method.

      • Send notifications by DingTalk: Set Notification Method to DingTalk and enter the webhook URL and secret token of the DingTalk chatbot.

      • Send notifications by HTTP: Set Notification Method to HTTP and enter the HTTP URL.

      • Send notifications by HTTPS: Set Notification Method to HTTPS and enter the HTTPS URL.

      After the images are scanned, Container Registry sends a notification by using the DingTalk, HTTP, or HTTPS method.

    4. Click Create.

  8. Manually scan images.

    Note

    After a scan rule is created, you can manually scan images or configure Container Registry to automatically scan images. In automatic scan mode, Container Registry automatically scans images at the earliest opportunity after an image is built or pushed to the specified repository.

    1. On the Image Scanning page, find the scan rule and click Scan in the Actions column.

    2. In the message that appears, click OK.

      In the Task List section of the Image Scanning page, if Completed is displayed in the Status column of the task, the image is scanned.

  9. View the scan results.

    1. In the Task List section of the Image Scanning page, find the scan task for which you want to view scan result and click View Task in the Actions column.

    2. On the Task Details page, click View Details in the Actions column.

      You can view the scan results including the details of detected vulnerabilities on the Security Scan page.

      Note

      If you configure multiple images in the scan rule, multiple scan tasks are displayed on the Task Details page. You can view the image scan results of each task.

Image scan results

View the scan results of the Trivy scan engine

On the Security Scan page, you can view the detected system and application vulnerabilities. By default, the scan results are sorted based on the following vulnerability levels: Unknown, Low, Medium, and High.单个扫描

Note

Due to the restrictions of the Trivy scan engine, only the locations of some system and application vulnerabilities can be identified.

View the scan results of the Security Center scan engine

To view the detected vulnerabilities, click the System Vulnerabilities, Application Vulnerabilities, Baseline Risks, or Malicious Samples tab on the Security Scan page. By default, the scan results are sorted based on the following vulnerability levels: Unknown, Low, Medium, and High.

云安全扫描结果

Fix system vulnerabilities

If you are using a Security Center scan engine to scan images, you can fix system vulnerabilities in a few clicks. Perform the following operations:

On the Security Scan page, find the vulnerability that you want to fix and click Fix in the lower part of the page. In the Fix dialog box, set whether the fixed image overwrites the original image and click Fix Now.

After 10 minutes, click the 返回 icon in the upper-left corner on the Security Scan page. On the Tags page, if an image whose name ends with the _fixd suffix is displayed, the image is fixed.

Note

After the image is fixed, the _fixd suffix is appended to the origin name of the image.

References

For information about how to query the scan status of an image tag by calling an API operation, see GetRepoTagScanStatus.