Image security scan - Precautions| Alibaba Cloud Documentation Center

Security Center provides the image security scan feature to detect image system vulnerabilities, image application vulnerabilities, and malicious image samples. This allows you to view the risks in your container assets and reinforces the security of your assets. This topic describes how to view image system vulnerabilities, image application vulnerabilities, and malicious image samples in your assets.

Prerequisites

The Enterprise edition of Container Registry is purchased. For more information, see Create a Container Registry Enterprise Edition instance.
The Enterprise edition of Security Center is purchased. If you are using the Basic, Basic Anti-Virus, or Advanced edition, you can use the image security scan feature only after you upgrade Security Center to the Enterprise edition. For more information, see Upgrade and downgrade Security Center.

Background information

The image security scan feature is in public preview. If you are using the Enterprise edition, you can use this feature free of charge without application or activation.

Note The Enterprise edition of Container Registry supports image security scans in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), and Singapore (Singapore).

Security Center supports the following image security items.


Image security item	Detection	Repair	Remarks
Image system vulnerability	Detection only	Not supported	We recommend that you fix image system vulnerabilities in a timely manner based on the prompted impact descriptions by using the commands that are provided by Security Center.
Image application vulnerability	Detection only	Not supported	We recommend that you fix image application vulnerabilities in a timely manner by using the commands and impact descriptions provided by Security Center.
Malicious image sample	Detection only	Not supported	We recommend that you handle malicious file samples in a timely manner based on the information provided by Security Center. The information includes a malicious file path.

Procedure

On the Image Security page, you can view detected image system vulnerabilities, image application vulnerabilities, and malicious image samples.

Log on to the Security Center console.
In the left-side navigation pane, choose Precaution > Image Security.
Optional:On the Image Security page, click Scan now.
To view the results of the latest image security scan, perform this step. The scan requires about 1 minute. After the scan is complete, you can refresh the current page to view the results.
On the Image System Vul tab, you can view the detected image system vulnerabilities.
You can perform the following operations:
- View vulnerabilities
  You can view the name, characteristics, number of affected images, and latest scan time of each vulnerability.
- View vulnerability priorities
  The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
  - Red: High
  - Orange: Medium
  - Gray: Low
  Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
- Filter vulnerabilities
  On the Image System Vul tab, you can filter vulnerabilities based on a vulnerability priority (high, medium, or low), instance ID, repository name, namespace, digest, or vulnerability name.
  
  Note You can search vulnerabilities based on a repository name or vulnerability name. Fuzzy match is supported.
- View vulnerability details
  Find the vulnerability whose details you want to view and click View in the Operation column. On the details page that appears, you can perform the following operations:
  - View details of the Alibaba Cloud vulnerability library
    You can click the CVE ID to go to the Alibaba Cloud vulnerability library.
    
    On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.
  - View fixing commands and impact descriptions of image system vulnerabilities
    Click Details to view the impact description and fixing command of the image system vulnerability.
    
    Fix Command: the fixing command.
    
    Impact description:
    
    Software: the image version.
    
    Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
    
    Path: the path of the image on the server.
    
    Image Layer: the image layer on which the vulnerability is detected.
    
    Caution: important notes, prevention tips, and references for the vulnerability.
    
    Note Security Center does not support quick fixes of image system vulnerabilities. You can manually troubleshoot and fix the vulnerabilities based on the impact descriptions and fixing commands. After you fix an image system vulnerability, you can click Scan now on the Image Security page to update the vulnerability status on the Image System Vul tab.
Click the Image Application Vul tab.
On the Image Application Vul tab, view the detected image application vulnerabilities.
You can perform the following operations:
- View vulnerability announcements
  You can view the name, characteristics, number of affected images, and latest scan time of each vulnerability.
- View vulnerability priorities
  The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
  - Red: High
  - Orange: Medium
  - Gray: Low
  Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
- Filter vulnerabilities
  On the Image Application Vul tab, you can filter vulnerabilities based on a vulnerability priority (high, medium, or low), instance ID, repository name, namespace, digest, or vulnerability name.
  
  Note You can search vulnerabilities based on a repository name or vulnerability name. Fuzzy match is supported.
- View vulnerability details
  Find the vulnerability whose details you want to view and click View in the Operation column. On the details page that appears, you can perform the following operations:
  - View details of the Alibaba Cloud vulnerability library
    You can click the CVE ID to go to the Alibaba Cloud vulnerability library.
    
    On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.
  - View impact descriptions and fixing commands
    Click Details to view the impact description and fixing command.
    
    Fix Command: the fixing command.
    
    Impact description:
    
    Software: the image version.
    
    Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
    
    Path: the path of the image on the server.
    
    Image Layer: the image layer on which the vulnerability is detected.
    
    Caution: important notes, prevention tips, and references for the vulnerability.
Click the Mirror Malicious Sample tab.
On the Mirror Malicious Sample tab, perform the following operations:
- Filter malicious image samples
  In the upper-right corner of the sample list, select Urgent, Warning, or Notice. You can also specify sample names to filter specific image samples.
- View malicious image samples
  In the list of malicious image samples, view the name, number of affected images, time of the first or last scan, and process status of each sample.
- View details about malicious image samples
  Find the Malicious Sample that you want to view and click View in the Operation column to view the details.

References

View container status

Threat detection for Kubernetes containers

Use Runtime Security to monitor ACK clusters and configure alerts