Security Center provides the image security scanning feature to detect image system vulnerabilities, image application vulnerabilities, and malicious image samples. This allows you to view risks in your container assets and reinforces the security of your assets. This topic describes how to view image system vulnerabilities, image application vulnerabilities, and malicious image samples in your assets.

Prerequisites

Background information

The image security scanning feature is in public preview. This feature is free for all users of the Security Center Enterprise edition. Users of the Security Center Enterprise edition are not required to enable or apply for this feature.

You can use one of the following methods to perform image security scanning:
  • Scan now: If you want to immediately start an image security scanning task, click Scan now on the Image Security page.
  • Periodic scan: If you want to periodically scans your images, you can configure the time to scan and intervals at which images are periodically scanned. Security Center periodically scans your images to detect security issues based on your configurations. For more information, see Configure image vulnerability scanning.
The following table describes the features provided by image security scanning.
Item Detection Fix Remarks
Image system vulnerabilities Supported Not supported We recommend that you promptly fix image system vulnerabilities based on the fixing commands and descriptions provided by Security Center.
Image application vulnerabilities Supported Not supported We recommend that you promptly fix image application vulnerabilities based on the fixing commands and descriptions provided by Security Center.
Malicious image samples Supported Not supported We recommend that you promptly fix malicious image samples based on the fixing commands and descriptions provided by Security Center.

Supported regions

Only the Container Registry instances of the Enterprise edition in the following regions support the image security scanning feature: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), and Singapore (Singapore).

View image vulnerabilities and malicious samples

On the Image Security page, you can view detected image system vulnerabilities, image application vulnerabilities, and malicious image samples.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. Optional:On the Image Security page, click Scan now.
    If you want to view the results of the last scanning task, perform this step. It requires about one minute to complete the scanning. After the scanning is completed, refresh the page to view the results.
  4. On the Image System Vul tab, view the detected image system vulnerabilities.
    You can perform the following operations:
    • View vulnerabilities

      View the vulnerability names, vulnerability characteristics, number of affected images, and last scan time

    • View vulnerability priorities
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
      • Red: High
      • Orange: Medium
      • Gray: Low
      Priority
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Filter vulnerabilities

      On the Image System Vul tab, filter vulnerabilities by vulnerability priority (high, medium, and low), instance ID, repository name, namespace, digest, or vulnerability name

      Note You can search for vulnerabilities by repository or vulnerability name. Fuzzy match is supported.
    • View vulnerability details
      Find the vulnerability that you want to view and click View in the Operation column. On the page that appears, perform the following operations as needed:
      • View details of the Alibaba Cloud vulnerability library
        Click the CVE ID to go to the Alibaba Cloud vulnerability library.CVE ID

        On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

      • View fixing commands and impact descriptions.
        Click Details to view fixing commands and impact descriptions.Impact descriptions
        • Fix Command: the fixing command.
        • Impact description:
          • Software: the image version.
          • Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
          • Path: the path of the image on the server.
          • Image Layer: the image layer on which the vulnerability is detected.
        • Caution: important notes, prevention tips, and references for the vulnerability.
        Note Security Center does not support quick fixing of image system vulnerabilities. You can manually detect and fix the vulnerabilities based on the fixing commands and impact descriptions. After you fix an image system vulnerability, click Scan now on the Image Security page to update the vulnerability status on the Image System Vul tab.
  5. Click the Image Application Vul tab.
  6. On the Image Application Vul tab, view the detected image application vulnerabilities.
    You can perform the following operations:
    • View vulnerability announcements

      You can view vulnerability names, vulnerability characteristics, number of affected images, and last scan time.

    • View vulnerability priorities
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
      • Red: High
      • Orange: Medium
      • Gray: Low
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Filter vulnerabilities

      On the Image Application Vul tab, filter vulnerabilities by vulnerability priority (high, medium, and low), instance ID, repository name, namespace, digest, or vulnerability name.

      Note You can search for vulnerabilities by repository or vulnerability name. Fuzzy match is supported.
    • View vulnerability details
      Find the vulnerability that you want to view and click View in the Operation column. On the page that appears, perform the following operations as needed:
      • View details of the Alibaba Cloud vulnerability library

        Click the CVE ID to go to the Alibaba Cloud vulnerability library.

        On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

      • View fixing commands and impact descriptions.

        Click Details to view fixing commands and impact descriptions.

        • Fix Command: the fixing command.
        • Impact description:
          • Software: the image version.
          • Cause: the reason why the image is exposed to this vulnerability. In most cases, the reason is that the current version is outdated.
          • Path: the path of the image on the server.
          • Image Layer: the image layer on which the vulnerability is detected.
        • Caution: important notes, prevention tips, and references for the vulnerability.
  7. Click the Mirror Malicious Sample tab.
  8. On the Mirror Malicious Sample tab, perform the following operations as needed:
    • Filter malicious image samples

      In the upper-right corner of the malicious image sample list, select Urgent, Warning, or Notice. Then, search for malicious samples by instance ID, repository name, namespace, digest, or malicious sample name.

    • View malicious image samples

      In the list of malicious image samples, you can view sample names, number of affected images, first scan time, last scan time, and processing status.

    • View the details of a malicious image sample

      Find the malicious sample that you want to view and click View in the Operation column to view the details.

    Note A malicious image sample may intrude into your server by changing the memory properties from readable and writable to readable and executable, or by modifying the network proxy settings. This may greatly affect your server. We recommend that you handle the malicious image samples in a timely manner.

Configure image vulnerability scanning

In the upper-right corner of the Image Security page, click Settings. In the Scan Configurations dialog box, select a scan cycle and click OK. You can specify the scan cycle and time period based on your needs.
  • You can select 3 Days, One week, Two weeks, or Stop for Scan cycle.
  • You can select 00:00-24:00, 00:00-06:00, 06:00-12:00, 12:00-18:00, or 18:00-24:00 for the time period.
Note Security Center starts an image security scanning task at any time point during the specified scan period. If you select 00:00-24:00, Security Center may scan your images at any time of one day.
Image vulnerability scanning configuration

References

View the security status of containers

Threat detection for Kubernetes containers

Use Runtime Security to monitor ACK clusters and configure alerts