Before you can use Security Center to scan container images, you must add an image repository to Security Center. This synchronizes the information about the images in the image repository to Security Center. You can add the image repositories of Container Registry and third-party image repositories to Security Center. This topic describes how to add image repositories to Security Center.

Prerequisites

The feature of container image scan is enabled. For more information, see Enable container image scan.

Add an image repository of Container Registry to Security Center

Container Registry has Enterprise Edition and Personal Edition. You can synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition to Security Center. However, Security Center can scan the images only of Container Registry Enterprise Edition.

After you configure access to a Container Registry Enterprise Edition instance over a virtual private cloud (VPC), the image repositories of the instance are added to Security Center. For more information, see Configure access over VPCs.

Add a third-party image repository deployed on a public cloud to Security Center

If your third-party image repository is deployed on a public cloud, perform the following steps to add the image repository to Security Center:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. On the Image security scan tab of the page that appears, click Integrate.
  4. In the Integrate image repository panel, configure the parameters.
    The following table describes the parameters.
    Parameter Description
    Private repository type The type of the third-party image repository. Valid values: harbor and quay.
    Version The version of the third-party image repository. Valid values:
    • V1: If the version of the image repositoryis 1.X.X, select this option.
    • V2: If the version of the image repositoryis 2.X.X or later, select this option.
    Communication Type The protocol that you want Security Center to use to communicate with the third-party image repository. Valid values: http and https.
    Network Type The network type of the third-party image repository. Valid values: Public and VPC.
    RegionId The region where the third-party image repository resides.
    Domain The domain name of the third-party image repository.
    IP The IP address of the third-party image repository.
    Note If the third-party image repository is deployed on a hybrid cloud, you must configure this parameter.
    Speed limit The number of images that can be added to Security Center per hour. Default value: 10. Valid values:
    • 5
    • 10
    • 30
    • 50
    • 200
    • 500
    • 1000
    • Unlimited
    Notice If you add a large number of images per hour, your services may be adversely affected. In most cases, we recommend that you do not set this parameter to Unlimited.
    Username The username used to access the third-party image repository.
    Password The password used to access the third-party image repository.
  5. Click Next.
    The third-party image repository is added to Security Center. Then, you can click Scan Settings on the Image security scan tab to view the information about the added image repository in the panel that appears.

Add a third-party image repository deployed on a hybrid cloud to Security Center

If your third-party image repository is deployed on a hybrid cloud that is composed of VPCs and data centers, you must configure traffic forwarding rules and then add the image repository to Security Center. To add the image repository, perform the following steps :

  1. Specify an ECS instance and configure traffic forwarding rules to forward the traffic destined for the ECS instance to an on-premises server on which the third-party image repository resides.

    In the following command examples, the traffic on Port A of the ECS instance is forwarded to Port B of the on-premises server that uses the IP address of 192.168.XX.XX.

    • Command examples for CentOS 7
      • Use firewall-cmd
        firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>
      • Use iptables:
        1. Enable port forwarding.
          # echo "1" > /proc/sys/net/ipv4/ip_forward                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
        2. Configure port forwarding.
          # iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>
    • Command example for Windows
      netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX> connectport=<Port B> protocol=tcp
  2. Add the third-party image repository to Security Center.

    Make sure that you set IP to the CIDR block of the vSwitch within the VPC for which you configured forwarding rules. For more information, see Add a third-party image repository deployed on a public cloud to Security Center.

What to do next

You can view the information about the images that are protected by Security Center on the Assets page. Assets > Container

What to do next

After a third-party image repository is added to Security Center, you must scan the container images in the image repository before Security Center can check whether the container images are at risk. For more information, see Scan container images.