Security Center provides the feature of container image scan. You can use the feature to check whether vulnerabilities and malicious samples exist in your images. This helps ensure a secure runtime environment for your images. This topic describes how to scan images.

Prerequisites

Background information

Vulnerabilities may exist in the basic system software, middleware, web applications, and databases that are in your images. The vulnerabilities include mining trojans and backdoor programs, which pose threats to your assets. Security Center allows you to immediately scan images and configure a cycle to scan for image vulnerabilities. For more information, see Immediately scan images and Configure a cycle to scan for image vulnerabilities.
Notice If your images have been changed, the number of times specified by Container Image Scan is deducted when you scan images. An image is considered changed when the digest value of the image changes. Before you scan images, make sure that Container Image Scan is set to an appropriate value.

Immediately scan images

To immediately scan images, log on to the Security Center console. On the Image security scan tab, click Scan Now. In the One-Click Scan dialog box, specify the type of the images that you want to scan, and then click Confirm. The following types of image repositories can be scanned:
  • ACR: If you select acr in the dialog box, Security Center checks whether vulnerabilities and malicious samples exist in your Container Registry Enterprise Edition instance that is created in the Container Registry console.
  • Harbor: If you select harbor in the dialog box, Security Center checks whether vulnerabilities and malicious samples exist in the Harbor image repositories that you added to Security Center.

The scan takes approximately 1 minute. You can manually refresh the Image security scan tab and view the scan results in the list of image vulnerabilities after 1 minute.

Configure a cycle to scan for image vulnerabilities

To scan your assets for image vulnerabilities and malicious samples on a regular basis, perform the following operations to configure a scan cycle:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. In the upper-right corner of the Image security scan tab, click Scan Settings.
  4. In the Scan Settings panel, configure the parameters. Scan Settings
    The following table describes the parameters.
    Parameter Description
    Number of Authorizations Consumed/Total Authorizations The number of image scans that are performed and the total number of image scans that are allowed. If the number of image scans that are allowed is about to be used up, you can click Expand to specify Container Image Scan on the Upgrade/Downgrade page based on your business requirements.
    Scan cycle The cycle at which you want to scan your images. Valid values:
    • 3 Days
    • One week
    • Two weeks
    • Stop
    Scan Scope The scope of images that you want to scan. To select the scope, perform the following steps:
    1. Click Manage on the right of Scan Scope.
    2. In the Image management dialog box, select the image repository that you want to scan.
    3. Click OK.
    Scan Time Range The period in which you want to scan for image vulnerabilities. Valid values:
    • Last day
    • Last 3 days
    • Last 7 days
    • Last 15 days
    • Last 20 days
    • Last 90 days
    • Last 180 days
    • Last 365 days
    Vulnerability retention duration The retention period for detected vulnerabilities. If the detected vulnerabilities are retained longer than the specified retention period, the vulnerabilities are deleted. Valid values:
    • 30 days
    • 60 days
    • 90 days
    • 180 days
    After the parameters are configured, Security Center scans your images based on the configurations.

Manage image repositories

You can click the Image repository tab in the Scan Settings panel to view the Container Registry Enterprise Edition instances that support container image scan and the third-party image repositories that you added to Security Center. The Container Registry instances use the image repositories of the ACR type. The third-party image repositories are of the Harbor type.
  • If you want to scan the third-party image repositories that are not displayed on the Image repository tab, you can click Integrate image repository to go to the Integrate image repository panel and add your third-party image repositories to Security Center. For more information about the parameters in the Integrate image repository panel, see Add image repositories to Security Center.
  • If you do not want to scan a third-party image repository that is displayed on the Image repository tab, you can click Remove in the Operation column for the image repository. In the message that appears, click OK to remove the image repository.
Note Security Center automatically adds Container Registry Enterprise Edition instances within your account to the image repository list. You cannot remove the Container Registry Enterprise Edition instances from the image repository list.

Configure baseline checks for images

After you configure a cycle to scan your images for vulnerabilities, you can also configure baseline checks for the images.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. In the upper-right corner of the Image security scan tab, click Scan Settings.
  4. In the Scan Settings panel, click the Baseline Configuration Management tab.
  5. Click Management to the right of Configuration Scope.
  6. In the Baseline check scope panel, select the baselines that you want to check.
    Notice The baselines that are specified for the Accesskey Leakage Detection and Password leakage check parameters below Configuration Scope are the same as those in the Access Key Leakage and Password leakage sections in the Baseline check scope panel. If you select baselines in the Access Key Leakage and Password leakage sections in the Baseline check scope panel, the switches for the Accesskey Leakage Detection and Password leakage check parameters below Configuration Scope are turned on. You do not need to configure these parameters. You can also turn on or off the switches for the Accesskey Leakage Detection and Password leakage check parameters to enable or disable the baseline checks.
  7. In the lower-part of the panel, click Ok.
    After the configurations are complete, Security Center scans your images and checks the baselines of the images.

What to do next

After Security Center scans your images, you can view the scan results. For more information, see View container image scan results.