Container Registry Enterprise Edition instances allow you to use Security Center. For example, you can use Security Center to detect system vulnerabilities, application vulnerabilities, baseline risks, and malicious samples in container images. You can also fix the system vulnerabilities with a few clicks. This topic describes how to fix system vulnerabilities in container images with a few clicks.

Prerequisites

Security Center is activated. For more information, see Purchase Security Center and Enable container image scan.

Background information

Container Registry allows you to use Security Center to detect the following risks for container images:
Note Only system vulnerabilities can be fixed with a few clicks. If application vulnerabilities, malicious samples, or baseline risks are detected in your container images, we recommend that you follow the suggestions that are provided by Security Center to fix vulnerabilities and use the paths of the malicious samples to manually reinforce image protection.
  • System vulnerabilities: Security Center scans system vulnerabilities in container images and allows you to fix the system vulnerabilities with a few clicks. This ensures that your container images are secure and reliable.
  • Application vulnerabilities: Security Center scans container-related middleware to detect application vulnerabilities and provides suggestions on how to fix vulnerabilities. This ensures that container images run in a secure environment.
  • Baseline risks: Security Center scans your containers to detect baseline risks and provides suggestions on how to handle the risks.
  • Malicious samples: Security Center detects malicious samples in your containers. This allows you to view the risks in containers and ensure the security of your containers.

Procedure

  1. Authorize Security Center.
    Note The first time you use Security Center to scan container images, this step is required.
    1. Log on to the Security Center console.
    2. In the left-side navigation pane, click Assets.
    3. On the Assets page, click the Container tab. On this tab, click Authorize Immediately.
      After the authorization is complete, the Authorization succeeded message appears.
  2. Scan container images.
    1. In the left-side navigation pane, choose Precaution > Image Security.
    2. On the Image Security page, click Scan Now in the Security Scan section.
    3. In the One-Click Scan dialog box, select the image repositories that you want to scan and click Configure scan scope.
    4. On the Scan Configurations tab, set the scan parameters.
      Parameter Description
      Number of Authorizations Consumed/Total Authorizations The number of container image scans that are performed and the total number of container image scans that are allowed.
      Note Container images can be scanned only if the available number of times that container images can be scanned is greater than 0.
      Scan Cycle The frequency at which Security Center scans container images. Valid values: 3 Days, One week, Two weeks, and Stop.
      Scan Scope The scope of images that you want to scan.

      Click Manage on the right side of Scan Scope. In the Image management dialog box, select one or more image repositories that you want to scan and click Settings. Then, click OK.

      Scan Time Range The time range during which the container images are scanned.
      Scan policy If you select this option, container images are scanned when images that you want to scan are updated. If you do not select this option, Security Center scans container images based on the scan cycle that you specify.
    5. Click the Image repository tab to view the image repositories.
      Security Center automatically adds the Container Registry Enterprise Edition instances within your account to the image repositories.
    6. Click the Baseline Configuration Management tab to set the configuration scope.
      Parameter Description
      Configuration Scope Click Manage on the right of Configuration Scope. In the Baseline check scope dialog box, select the items to be checked and click OK.
      Accesskey Leakage Detection Turn on Accesskey Leakage Detection. This feature helps you scan images and identify whether the Access Key pair is leaked.
      Password leakage check Turn on Password leakage check. This feature helps you scan images and identify whether your password is leaked.
    7. On the Image Security page, click Scan Now in the Security Scan section. In the dialog box that appears, click Confirm.
      The scan usually takes one minute to complete. You can refresh the Image Security page to view the scan results after one minute.
  3. Fix the system vulnerabilities in container images.
    1. In the left-side navigation pane, click Assets.
    2. On the Assets page, click the Container tab.
    3. On the All applications tab, click Image(s). On the right side, find the image in which risks are detected in the Risk level column. Then, click Process in the Actions column.
    4. On the Image System Vul tab, find the vulnerability that you want to fix and click Fix in the Actions column.
    5. In the Fix dialog box, specify whether to overwrite the existing image tag. We recommend that you do not overwrite the existing image tag. Click Fix Now.
      If you choose not to overwrite the existing image tag, another container image is generated based on the existing image tag. The new container image is named after the existing image tag with the suffix _fix. If you choose to overwrite the existing image tag, a container image is generated based on the existing image tag and overwrites the container image with the existing image tag.
      Note If you configure a repository to be immutable, the repaired image tag cannot overwrite the existing image. If you want the repaired image tag to overwrite the original image, you must not configure the repository to be immutable. For more information, see Configure a repository to be immutable.
      Several minutes are required to fix the vulnerability. Then, go to the Container tab of the Assets page. On this tab, you can view the new container image and No risks is displayed in the Risk level column.