All Products
Search
Document Center

Security Center:Add image repositories to Security Center

Last Updated:Jul 07, 2023

Before you can use Security Center to scan images, you must add image repositories to Security Center. This topic describes how to add image repositories to Security Center.

Background information

You can add the following types of image repositories to Security Center: image repositories of Container Registry, Harbor repositories, and Quay repositories. Harbor repositories and Quay repositories are third-party image repositories.

Prerequisites

Security Center Ultimate is purchased, and the feature of container image scan is enabled. For more information, see Purchase Security Center and Enable container image scan.

Add an image repository of Container Registry to Security Center

Container Registry has Enterprise Edition and Personal Edition. You can synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition to Security Center. Security Center can scan the images only of Container Registry Enterprise Edition. You can add image repositories of an Container Registry Personal Edition instance to Security Center after you create the instance. To add image repositories of an Container Registry Enterprise Edition instance to Security Center, you must configure access to the instance over a virtual private cloud (VPC). For more information, see Configure access over VPCs.

You can use the one of the following methods to synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition:

  • Automatic synchronization: Security Center automatically synchronizes the information in the early morning every day.

  • Manual synchronization: You can manually synchronize the most recent information. For more information, see View security information about containers.

Add a third-party image repository to Security Center

If you create an access control policy for your image repository, make sure that the access control policy allows access from the IP address pools in the region in which the image repository resides.

View IP address pools from which the access must be allowed

RegionPublic IP addressPrivate IP address
China (Hangzhou)47.96.166.214100.104.12.64/26
China (Shanghai)139.224.15.48, 101.132.180.26, 47.100.18.171, 47.100.0.176, 139.224.8.64, 101.132.70.106, 101.132.156.228, 106.15.36.12, 139.196.168.125, 47.101.178.223, and 47.101.220.176100.104.43.0/26
China (Qingdao)47.104.111.68100.104.87.192/26
China (Beijing)47.95.202.245100.104.114.192/26
China (Zhangjiakou)39.99.229.195100.104.187.64/26
China (Hohhot)39.104.147.68100.104.36.0/26
China (Shenzhen)120.78.64.225100.104.250.64/26
China (Hong Kong)8.218.59.176100.104.130.128/26
Japan (Tokyo)47.74.24.20100.104.69.0/26
Singapore8.219.240.137100.104.67.64/26
US (Silicon Valley)47.254.39.224100.104.145.64/26
US (Virginia)47.252.4.238100.104.36.0/26
Germany (Frankfurt)47.254.158.71172.16.0.0/20
UK (London)8.208.14.12172.16.0.0/20
Indonesia (Jakarta)149.129.238.99100.104.193.128/26
  1. If your third-party image service is deployed in a data center and connected over VPCs, you must forward the traffic destined for the image service. In this case, you must use an Elastic Compute Service (ECS) instance to forward the traffic to the server in the data center in which the third-party image service is deployed.

    In the following command examples, the traffic on Port A of the ECS instance is forwarded to Port B of the on-premises server that uses the IP address of 192.168.XX.XX.

    • Command examples for CentOS 7

      • Use firewall-cmd

        firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>
      • Use iptables

        1. Enable port forwarding.

          echo "1" > /proc/sys/net/ipv4/ip_forward                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
        2. Configure port forwarding.

          iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>
    • Command example for Windows

      netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX> connectport=<Port B> protocol=tcp
  2. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  3. In the left-side navigation pane, choose Assets > Container.

  4. On the Image tab of the Container page, click Integrate in the Third-party Image Warehouse section.接入第三方镜像仓库

  5. In the Integrate image repository panel, configure the following parameters and click OK.

    Parameter

    Description

    Private repository type

    The type of the third-party image repository. Valid values: harbor and quay.

    Version

    The version of the third-party image repository. Valid values: Valid values:

    • V1: If the version of the image repository is 1.X.X, select this option.

    • V2: If the version of the image repository is 2.X.X or later, select this option.

    Communication Type

    The protocol that you want Security Center to use to communicate with the third-party image repository. Valid values:

    • http

    • https

    Network type

    The network type of the third-party image repository. Valid values:

    • Public

    • VPC

    RegionId

    The ID of the region in which the third-party image repository resides.

    IP

    The IP address of the third-party image repository. If you have configured traffic forwarding rules for your image service, you must set the IP parameter to the IP address of the ECS instance that forwards the traffic destined for the image service.

    Domain

    The domain name of the third-party image repository.

    Speed limit

    The number of images that can be added to Security Center per hour. Default value: 10.

    Important

    If a large number of images are added per hour, your services may be adversely affected. In most cases, we recommend that you do not set this parameter to Unlimited.

    Username

    The username of the account that has administrative rights and is used to access the third-party image repository.

    Password

    The password of the account.

    Quay namespace information

    This parameter is required only if you set Private repository type to quay.

    In the Image warehouse organization field, enter the name of the organization to which the image repository belongs. In the Auth_token field, enter the Auth_token that corresponds to the organization.

    You can click Add to configure organizations of multiple image repositories.

    After the third-party image repository is added to Security Center, you can click Scan Settings on the Image Security page to view the information about the added image repository in the panel that appears.Scan Settings

Error codes

Error code

Error message

Solution

FailedToVerifyUsernameOrPwd

The error message returned because the username or password is invalid.

Check whether the username and password are correct.

RegistryVersionError

The error message returned because the version of the image repository is invalid.

Check whether the version of the image repository is valid.

UserDoesNotHaveAdminRole

The error message returned because you do not have administrative rights.

Log on to the server on which harbor repositories are deployed and obtain administrative rights.

NetworkConnectError

The error message returned because the network connection timed out.

Check whether the network can be connected and whether port 80 or port 443 is enabled.

What to do next

After your image repository is added to Security Center, the images in the image repository are protected by Security Center. You can view the information about the images on the Image tab of the Container page. For more information, see View security information about containers.

You must use Security Center to scan the images in the image repository for risks. For more information, see Scan images.