Vulnerabilities may exist in the basic system software, middleware, web applications, and databases that are in your container images. The vulnerabilities include mining trojans and backdoor programs, which pose threats to your assets. You can scan container images to check whether image vulnerabilities and malicious image samples exist in your assets. This helps ensure a secure runtime environment for images. This topic describes how to scan container images.
- A Container Registry instance of the Enterprise edition is purchased or a third-party image repository is added to Security Center. For more information, see Create a Container Registry Enterprise Edition instance and Add third-party image repositories to Security Center.
- The Enterprise or Ultimate edition of Security Center is purchased, or Security Center is upgraded to the Enterprise or Ultimate edition. For more information, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.
- Container Image Scan is set to an appropriate value.
- Immediately scan container images: To immediately scan container images, click Scan Now on the Image Security page.
- Configure a cycle to scan image vulnerabilities: If you want Security Center to automatically scan container images on a regular basis, you can configure a scan cycle.
Immediately scan container images
- ACR: After you select acr in the dialog box, Security Center detects whether vulnerabilities and malicious image samples exist in your Container Registry instance of the Enterprise edition that is created in the Container Registry console.
- Harbor: After you select harbor in the dialog box, Security Center detects whether vulnerabilities and malicious image samples exist in the Harbor image repositories that you added to Security Center.
The scan may take 1 minute. You can manually refresh the Image Security page to view the scan results after 1 minute.
Configure a cycle to scan image vulnerabilities
To periodically scan your assets for image vulnerabilities or malicious samples, perform the following operations to configure a scan cycle:
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- In the upper-right corner of the Image Security page, click Scan Settings.
- In the Scan Settings panel, configure the parameters.The following table describes the parameters.
Parameter Description Authorized/total authorized The number of container image scans that are performed and the total number of container image scans that are allowed. Scan cycle The cycle at which Security Center scans container images. Valid values:
- 3 Days
- One week
- Two weeks
Scan Scope The images that you want to scan. To select the images that you want to scan, perform the following steps:
- Click Manage on the right of Scan Scope.
- In the Image management dialog box, select the image repository that you want to scan.
- Click Settings.
Scan policy If you select this option, a container image scan is triggered when images that you want to scan change. If you do not select this option, Security Center scans container images based on the scan cycle that you specified.
- Optional:Click the Image repository tab to view the image repository list.You can view the Container Registry instances of the Enterprise edition that support the container image scan feature and the third-party image repositories that you added to Security Center. The Container Registry instances use the image repositories of the ACR type. The third-party image repositories are of the Harbor type. You can also perform the following operations to manage the third-party image repositories:
Note Security Center automatically adds Container Registry instances of the Enterprise edition within your account to the image repository list. You cannot remove the Container Registry instances of the Enterprise edition from the image repository list.
- Add a third-party image repository: Click Integrate image repository. For more information about the parameters to add a third-party image repository to Security Center, see Add third-party image repositories to Security Center.
- Remove a third-party image repository: Find the image repository that you want to remove, click Remove in the Operation column, and then click OK in the message that appears.
- Click OK.