Vulnerabilities may exist in the basic system software, middleware, web applications, and databases that are in your container images. The vulnerabilities include mining trojans and backdoor programs, which pose threats to your assets. You can scan container images to check whether image vulnerabilities and malicious image samples exist in your assets. This helps ensure a secure runtime environment for images. This topic describes how to scan container images.

Prerequisites

Background information

You can use one of the following methods to scan container images:
Notice If your image has been changed, the number of times specified by Container Image Scan is deducted when you scan container images. An image is considered changed when the digest value of the image changes. Before you scan container images, make sure that Container Image Scan is set to an appropriate value.

Immediately scan container images

To immediately scan container images, click Scan Now on the Image Security page. In the One-Click Scan dialog box, select the type of the image you want to scan and click OK. Image repositories of the following types can be scanned:
  • ACR: After you select acr in the dialog box, Security Center detects whether vulnerabilities and malicious image samples exist in your Container Registry instance of the Enterprise edition that is created in the Container Registry console.
  • Harbor: After you select harbor in the dialog box, Security Center detects whether vulnerabilities and malicious image samples exist in the Harbor image repositories that you added to Security Center.

The scan may take 1 minute. You can manually refresh the Image Security page to view the scan results after 1 minute.

Configure a cycle to scan image vulnerabilities

To periodically scan your assets for image vulnerabilities or malicious samples, perform the following operations to configure a scan cycle:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. In the upper-right corner of the Image Security page, click Scan Settings.
  4. In the Scan Settings panel, configure the parameters.Configure image vulnerability scans
    The following table describes the parameters.
    Parameter Description
    Authorized/total authorized The number of container image scans that are performed and the total number of container image scans that are allowed.
    Scan cycle The cycle at which Security Center scans container images. Valid values:
    • 3 Days
    • One week
    • Two weeks
    • Stop
    Scan Scope The images that you want to scan. To select the images that you want to scan, perform the following steps:
    1. Click Manage on the right of Scan Scope.
    2. In the Image management dialog box, select the image repository that you want to scan.
    3. Click Settings.
    Scan policy If you select this option, a container image scan is triggered when images that you want to scan change. If you do not select this option, Security Center scans container images based on the scan cycle that you specified.
  5. Optional:Click the Image repository tab to view the image repository list.
    You can view the Container Registry instances of the Enterprise edition that support the container image scan feature and the third-party image repositories that you added to Security Center. The Container Registry instances use the image repositories of the ACR type. The third-party image repositories are of the Harbor type. You can also perform the following operations to manage the third-party image repositories:
    • Add a third-party image repository: Click Integrate image repository. For more information about the parameters to add a third-party image repository to Security Center, see Add third-party image repositories to Security Center.
    • Remove a third-party image repository: Find the image repository that you want to remove, click Remove in the Operation column, and then click OK in the message that appears.
    Note Security Center automatically adds Container Registry instances of the Enterprise edition within your account to the image repository list. You cannot remove the Container Registry instances of the Enterprise edition from the image repository list.
  6. Click OK.

What to do next

After Security Center scans container images, you can view the container image scan results. For more information, see View container image scan results.