Security Center provides the image security scanning feature to detect image system
vulnerabilities, image application vulnerabilities, and malicious image samples. This
allows you to view risks in your container assets and reinforces the security of your
assets. This topic describes how to view image system vulnerabilities, image application
vulnerabilities, and malicious image samples in your assets.
Background information
The image security scanning feature is in public preview. This feature is free for
all users of the Security Center Enterprise edition. Users of the Security Center
Enterprise edition are not required to enable or apply for this feature.
You can use one of the following methods to perform image security scanning:
- Scan now: If you want to immediately start an image security scanning task, click Scan now on the Image Security page.
- Periodic scan: If you want to periodically scans your images, you can configure the time to scan
and intervals at which images are periodically scanned. Security Center periodically
scans your images to detect security issues based on your configurations. For more
information, see Configure image vulnerability scanning.
The following table describes the features provided by image security scanning.
Item |
Detection |
Fix |
Remarks |
Image system vulnerabilities |
Supported |
Not supported |
We recommend that you promptly fix image system vulnerabilities based on the fixing
commands and descriptions provided by Security Center.
|
Image application vulnerabilities |
Supported |
Not supported |
We recommend that you promptly fix image application vulnerabilities based on the
fixing commands and descriptions provided by Security Center.
|
Malicious image samples |
Supported |
Not supported |
We recommend that you promptly fix malicious image samples based on the fixing commands
and descriptions provided by Security Center.
|
Supported regions
Only the Container Registry instances of the Enterprise edition in the following regions
support the image security scanning feature: China (Hangzhou), China (Shanghai), China
(Beijing), China (Shenzhen), and Singapore (Singapore).
View image vulnerabilities and malicious samples
On the Image Security page, you can view detected image system vulnerabilities, image application vulnerabilities, and malicious image samples.
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- Optional:On the Image Security page, click Scan now.
If you want to view the results of the last scanning task, perform this step. It requires
about one minute to complete the scanning. After the scanning is completed, refresh
the page to view the results.
- On the Image System Vul tab, view the detected image system vulnerabilities.
You can perform the following operations:
- View vulnerabilities
View the vulnerability names, vulnerability characteristics, number of affected images,
and last scan time
- View vulnerability priorities
The priorities of vulnerabilities are displayed in different colors in the Affected
Assets column. The number in each row of this column indicates the total number of
the assets affected by a vulnerability.
- Red: High
- Orange: Medium
- Gray: Low

Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
- Filter vulnerabilities
On the Image System Vul tab, filter vulnerabilities by vulnerability priority (high, medium, and low), instance
ID, repository name, namespace, digest, or vulnerability name
Note You can search for vulnerabilities by repository or vulnerability name. Fuzzy match
is supported.
- View vulnerability details
Find the vulnerability that you want to view and click
View in the Operation column. On the page that appears, perform the following operations
as needed:
- View details of the Alibaba Cloud vulnerability library
Click the CVE ID to go to the Alibaba Cloud vulnerability library.

On the page that appears, view details about the vulnerability, including the vulnerability
description, basic information, and solution.
- View fixing commands and impact descriptions.
Click
Details to view fixing commands and impact descriptions.

- Fix Command: the fixing command.
- Impact description:
- Software: the image version.
- Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason
is that the current version is outdated.
- Path: the path of the image on the server.
- Image Layer: the image layer on which the vulnerability is detected.
- Caution: important notes, prevention tips, and references for the vulnerability.
Note Security Center does not support quick fixing of image system vulnerabilities. You
can manually detect and fix the vulnerabilities based on the fixing commands and impact
descriptions. After you fix an image system vulnerability, click Scan now on the Image Security page to update the vulnerability status on the Image System Vul tab.
- Click the Image Application Vul tab.
- On the Image Application Vul tab, view the detected image application vulnerabilities.
You can perform the following operations:
- View vulnerability announcements
You can view vulnerability names, vulnerability characteristics, number of affected
images, and last scan time.
- View vulnerability priorities
The priorities of vulnerabilities are displayed in different colors in the Affected
Assets column. The number in each row of this column indicates the total number of
the assets affected by a vulnerability.
- Red: High
- Orange: Medium
- Gray: Low
Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
- Filter vulnerabilities
On the Image Application Vul tab, filter vulnerabilities by vulnerability priority (high, medium, and low), instance
ID, repository name, namespace, digest, or vulnerability name.
Note You can search for vulnerabilities by repository or vulnerability name. Fuzzy match
is supported.
- View vulnerability details
Find the vulnerability that you want to view and click View in the Operation column.
On the page that appears, perform the following operations as needed:
- View details of the Alibaba Cloud vulnerability library
Click the CVE ID to go to the Alibaba Cloud vulnerability library.
On the page that appears, view details about the vulnerability, including the vulnerability
description, basic information, and solution.
- View fixing commands and impact descriptions.
Click Details to view fixing commands and impact descriptions.
- Fix Command: the fixing command.
- Impact description:
- Software: the image version.
- Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason
is that the current version is outdated.
- Path: the path of the image on the server.
- Image Layer: the image layer on which the vulnerability is detected.
- Caution: important notes, prevention tips, and references for the vulnerability.
- Click the Mirror Malicious Sample tab.
- On the Mirror Malicious Sample tab, perform the following operations as needed:
- Filter malicious image samples
In the upper-right corner of the malicious image sample list, select Urgent, Warning, or Notice. Then, search for malicious samples by instance ID, repository name, namespace, digest,
or malicious sample name.
- View malicious image samples
In the list of malicious image samples, you can view sample names, number of affected
images, first scan time, last scan time, and processing status.
- View the details of a malicious image sample
Find the malicious sample that you want to view and click View in the Operation column to view the details.
Note A malicious image sample may intrude into your server by changing the memory properties
from readable and writable to readable and executable, or by modifying the network
proxy settings. This may greatly affect your server. We recommend that you handle
the malicious image samples in a timely manner.
Configure image vulnerability scanning
In the upper-right corner of the
Image Security page, click
Settings. In the
Scan Configurations dialog box, select a scan cycle and click
OK. You can specify the scan cycle and time period based on your needs.
- You can select 3 Days, One week, Two weeks, or Stop for Scan cycle.
- You can select 00:00-24:00, 00:00-06:00, 06:00-12:00, 12:00-18:00, or 18:00-24:00 for the time period.
Note Security Center starts an image security scanning task at any time point during the
specified scan period. If you select 00:00-24:00, Security Center may scan your images at any time of one day.