Security Center provides the image security scan feature to detect image system vulnerabilities, image application vulnerabilities, and malicious image samples. This allows you to view the risks in your container assets and reinforces the security of your assets. This topic describes how to view image system vulnerabilities, image application vulnerabilities, and malicious image samples in your assets.

Prerequisites

Background information

The image security scan feature is in public preview. If you are using the Enterprise edition, you can use this feature free of charge without application or activation.
Note The Enterprise edition of Container Registry supports image security scans in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), and Singapore (Singapore).
Security Center supports the following image security items.
Image security item Detection Repair Remarks
Image system vulnerability Detection only Not supported We recommend that you fix image system vulnerabilities in a timely manner based on the prompted impact descriptions by using the commands that are provided by Security Center.
Image application vulnerability Detection only Not supported We recommend that you fix image application vulnerabilities in a timely manner by using the commands and impact descriptions provided by Security Center.
Malicious image sample Detection only Not supported We recommend that you handle malicious file samples in a timely manner based on the information provided by Security Center. The information includes a malicious file path.

Procedure

On the Image Security page, you can view detected image system vulnerabilities, image application vulnerabilities, and malicious image samples.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. Optional:On the Image Security page, click Scan now.
    To view the results of the latest image security scan, perform this step. The scan requires about 1 minute. After the scan is complete, you can refresh the current page to view the results.
  4. On the Image System Vul tab, you can view the detected image system vulnerabilities.
    You can perform the following operations:
    • View vulnerabilities

      You can view the name, characteristics, number of affected images, and latest scan time of each vulnerability.

    • View vulnerability priorities
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
      • Red: High
      • Orange: Medium
      • Gray: Low
      The priority of a vulnerability detected in container images
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Filter vulnerabilities

      On the Image System Vul tab, you can filter vulnerabilities based on a vulnerability priority (high, medium, or low), instance ID, repository name, namespace, digest, or vulnerability name.

      Note You can search vulnerabilities based on a repository name or vulnerability name. Fuzzy match is supported.
    • View vulnerability details
      Find the vulnerability whose details you want to view and click View in the Operation column. On the details page that appears, you can perform the following operations:
      • View details of the Alibaba Cloud vulnerability library
        You can click the CVE ID to go to the Alibaba Cloud vulnerability library.CVE ID

        On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

      • View fixing commands and impact descriptions of image system vulnerabilities
        Click Details to view the impact description and fixing command of the image system vulnerability.Impact descriptions
        • Fix Command: the fixing command.
        • Impact description:
          • Software: the image version.
          • Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
          • Path: the path of the image on the server.
          • Image Layer: the image layer on which the vulnerability is detected.
        • Caution: important notes, prevention tips, and references for the vulnerability.
        Note Security Center does not support quick fixes of image system vulnerabilities. You can manually troubleshoot and fix the vulnerabilities based on the impact descriptions and fixing commands. After you fix an image system vulnerability, you can click Scan now on the Image Security page to update the vulnerability status on the Image System Vul tab.
  5. Click the Image Application Vul tab.
  6. On the Image Application Vul tab, view the detected image application vulnerabilities.
    You can perform the following operations:
    • View vulnerability announcements

      You can view the name, characteristics, number of affected images, and latest scan time of each vulnerability.

    • View vulnerability priorities
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
      • Red: High
      • Orange: Medium
      • Gray: Low
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Filter vulnerabilities

      On the Image Application Vul tab, you can filter vulnerabilities based on a vulnerability priority (high, medium, or low), instance ID, repository name, namespace, digest, or vulnerability name.

      Note You can search vulnerabilities based on a repository name or vulnerability name. Fuzzy match is supported.
    • View vulnerability details
      Find the vulnerability whose details you want to view and click View in the Operation column. On the details page that appears, you can perform the following operations:
      • View details of the Alibaba Cloud vulnerability library

        You can click the CVE ID to go to the Alibaba Cloud vulnerability library.

        On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

      • View impact descriptions and fixing commands

        Click Details to view the impact description and fixing command.

        • Fix Command: the fixing command.
        • Impact description:
          • Software: the image version.
          • Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
          • Path: the path of the image on the server.
          • Image Layer: the image layer on which the vulnerability is detected.
        • Caution: important notes, prevention tips, and references for the vulnerability.
  7. Click the Mirror Malicious Sample tab.
  8. On the Mirror Malicious Sample tab, perform the following operations:
    • Filter malicious image samples

      In the upper-right corner of the sample list, select Urgent, Warning, or Notice. You can also specify sample names to filter specific image samples.

    • View malicious image samples

      In the list of malicious image samples, view the name, number of affected images, time of the first or last scan, and process status of each sample.

    • View details about malicious image samples

      Find the Malicious Sample that you want to view and click View in the Operation column to view the details.

References

View container status

Threat detection for Kubernetes containers

Use Runtime Security to monitor ACK clusters and configure alerts