Container Registry Enterprise Edition instances allow you to use the capabilities of Security Center. For example, you can use Security Center to detect system vulnerabilities, application vulnerabilities, baseline risks, and malicious samples in container images. You can also fix the system vulnerabilities with a few clicks. This topic describes how to fix system vulnerabilities in container images with a few clicks.

Prerequisites

Security Center is activated. For more information, see Purchase Security Center and Enable the container image scan feature.

Background information

Container Registry allows you to use Security Center to detect the following risks for container images:
Note Only system vulnerabilities can be fixed with a few clicks. Assume that application vulnerabilities, malicious samples, or baseline risks are detected in your container images. To reinforce image security, we recommend that you follow the suggestions on vulnerability fixing that are provided by Security Center and use the paths of the malicious samples.
  • System vulnerabilities: Security Center scans system vulnerabilities in container images and allows you to fix the system vulnerabilities with a few clicks. This ensures that your container images are secure and reliable.
  • Application vulnerabilities: Security Center scans container-related middleware to detect application vulnerabilities and provides suggestions on vulnerability fixing. This ensures that container images run in a secure environment.
  • Baseline risks: Security Center scans your containers to detect baseline risks and provides suggestions on how to handle the risks.
  • Malicious samples: Security Center detects malicious samples in your containers. This allows you to view the risks in containers and reinforce the security of your containers.

Procedure

  1. Authorize Security Center.
    Note This step is required only when you use Security Center to scan container images for the first time.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. On the Assets page, click the Container tab. On this tab, click Authorize Immediately.
      After the authorization is complete, the Authorization succeeded message appears.
  2. Scan container images.
    1. In the left-side navigation pane, choose Security Prevention > Image Security.
    2. On the Image Security page, click Scan Now in the Security Scan section.
    3. In the One-Click Scan dialog box, select the image repositories that you want to scan and click Configure scan scope.
    4. In the Scan Settings panel, set the parameters on the Scan Configurations tab.
      Parameter Description
      Authorized usage /Total authorized The number of container image scans that are performed and the total number of container image scans that are allowed.
      Scan cycle The frequency at which Security Center scans container images. Valid values: 3 Days, One week, Two weeks, and Stop.
      Scan Scope The scope of images that you want to scan.

      Click Manage next to Scan Scope. In the Image management dialog box, select one or more image repositories that you want to scan and click Settings. Then, click OK.

      Scan Time Range The time range during which the container images that you want to scan are generated.
      Scan policy If you select this option, a container image scan is triggered when images that you want to scan are updated. If you do not select this option, Security Center scans container images based on the scan cycle that you specify.
    5. Click the Image repository tab to view the image repository list.
      Security Center automatically adds the Container Registry Enterprise Edition instances within your account to the image repository list.
    6. On the Image Security page, click Scan Now in the Security Scan section. In the dialog box that appears, click Confirm.
      The scan may take 1 minute. You can refresh the Image Security page to view the scan results after 1 minute.
  3. Fix the system vulnerabilities in container images.
    1. In the left-side navigation pane, click Assets.
    2. On the Assets page, click the Container tab.
    3. In the left-side section of the Container tab, click Image(s). On the right side, find an image in which risks are detected. Then, click Process in the Actions column.
    4. On the Image System Vul tab, find the vulnerability that you want to fix and click Fix in the Actions column.
    5. In the Repair dialog box, specify whether to overwrite the existing image tag. We recommend that you do not overwrite the existing image tag. Click Fix Now.
      If you choose not to overwrite the existing image tag, another container image is generated based on the existing image tag. The new container image is named after the existing image tag with the suffix _fix. If you choose to overwrite the existing image tag, a container image is generated based on the existing image tag and overwrites the container image with the existing image tag.
      The vulnerability fixing may take a while. Then, go to the Container tab of the Assets page. On this tab, you can view the new container image and No risk is displayed in the Risk State column.