Before you can use Security Center to scan images, you must add an image repository to Security Center. This topic describes how to add image repositories to Security Center.

Background information

You can add the following types of image repositories to Security Center: image repositories of Container Registry, Harbor repositories, and Quay repositories. Harbor repositories and Quay repositories are third-party image repositories.

Prerequisites

The feature of container image scan is enabled. For more information, see Enable container image scan.

Add an image repository of Container Registry to Security Center

Container Registry has Enterprise Edition and Personal Edition. You can synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition to Security Center. However, Security Center can scan the images only of Container Registry Enterprise Edition. You can add image repositories of an Container Registry Enterprise Edition instance to Security Center after you configure access to the instance over a virtual private cloud (VPC). For more information, see Configure access over VPCs.

Add a third-party image repository to Security Center

If your third-party image repository is deployed on a hybrid cloud that is composed of VPCs and data centers, you must configure traffic forwarding rules and then add the image repository to Security Center. For more information, see Configure traffic forwarding rules and add image repositories deployed on hybrid clouds.

If you create an access control policy for your image repository, make sure that the access control policy allows access from the IP address pools in the region in which the image repository resides.

Click here to view IP address pools from which the access must be allowed.
Region Public IP address Private IP address
China (Hangzhou) 121.41.35.192, 121.41.39.7, 121.41.39.39, 121.41.39.153, and 121.41.38.32 100.104.177.0/26
China (Shanghai) 47.103.62.83, 47.103.60.134, 47.103.58.177, 47.103.54.252, and 47.103.49.93 100.104.7.192/26
China (Qingdao) 47.104.111.68 100.104.87.192/26
China (Beijing) 123.57.55.56, 123.57.55.21, 123.57.55.18, 123.57.55.7, and 123.57.55.6 100.104.20.128/26
China (Zhangjiakou) 39.99.229.195 100.104.187.64/26
China (Hohhot) 39.104.147.68 100.104.36.0/26
China (Shenzhen) 47.106.245.198, 47.107.237.185, 47.107.237.182, 47.107.237.170, and 47.107.237.152 100.104.9.192/26
China (Hong Kong) 47.106.245.198, 47.107.237.185, 47.107.237.182, 47.107.237.170, and 47.107.237.152 100.104.111.128/26
Japan (Tokyo) 47.74.24.20 100.104.69.0/26
Singapore 47.74.238.176, 47.74.238.61, 47.74.237.201, 47.74.237.166, and 47.74.237.91 100.104.41.128/26
US (Silicon Valley) 47.254.39.224 100.104.145.64/26
US (Virginia) 47.252.4.238 100.104.36.0/26
Germany (Frankfurt) 47.254.158.71 172.16.0.0/20
UK (London) 8.208.14.12 172.16.0.0/20
Indonesia (Jakarta) 149.129.238.99 100.104.193.128/26
  1. Log on to the Security Center console. In the left-side navigation pane, choose Assets > Container.
  2. On the Container page, click the Image tab and click Integrate.
  3. In the Integrate image repository panel, configure the following parameters and click Next.
    Parameter Description
    Private repository type The type of the third-party image repository. Valid values: harbor and quay.
    Note Specify the value of Private repository type based on the type of your image repository.
    Version The version of the third-party image repository. Valid values:
    • V1: If the version of the image repository is 1.X.X, select this option.
    • V2: If the version of the image repository is 2.X.X or later, select this option.
    Communication Type The protocol that you want Security Center to use to communicate with the third-party image repository.
    Network Type The network type of the third-party image repository.
    RegionId The ID of the region in which the third-party image repository resides.
    IP The IP address of the third-party image repository.
    Note If the third-party image repository is deployed on a hybrid cloud, you must configure the IP parameter.
    Domain The domain name of the third-party image repository.
    Speed limit The number of images that can be added to Security Center per hour. Default value: 10.
    Important If you add a large number of images per hour, your services may be adversely affected. In most cases, we recommend that you do not set this parameter to Unlimited.
    Username The username used to access the third-party image repository.
    Password The password used to access the third-party image repository.
    After the third-party image repository is added to Security Center, you can click Scan Settings on the Image Security page to view the information about the added image repository in the panel that appears.

Configure traffic forwarding rules and add image repositories deployed on hybrid clouds

If your third-party image repository is deployed on a hybrid cloud that is composed of VPCs and data centers, you must configure traffic forwarding rules and then add the image repository to Security Center. To configure traffic forwarding rules and add the image repository to Security Center, perform the following steps:

  1. Specify an Elastic Compute Service (ECS) instance and configure traffic forwarding rules to forward the traffic destined for the ECS instance to an on-premises server on which the third-party image repository resides.

    In the following command examples, the traffic on Port A of the ECS instance is forwarded to Port B of the on-premises server that uses the IP address of 192.168.XX.XX.

    • Command examples for CentOS 7
      • Use firewall-cmd
        firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>
      • Use iptables:
        1. Enable port forwarding.
          echo "1" > /proc/sys/net/ipv4/ip_forward                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
        2. Configure port forwarding.
          iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>
    • Command example for Windows
      netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX> connectport=<Port B> protocol=tcp
  2. Add the third-party image repository to Security Center.

    Make sure that you set IP to the address of the ECS instance for which you configured forwarding rules. For more information, see Add a third-party image repository to Security Center.

Error codes

Error code Error message Solution
FailedToVerifyUsernameOrPwd The error message returned because the username or password is invalid. Check whether the username and password are correct.
RegistryVersionError The error message returned because the version of the image repository is invalid. Check whether the version of the image repository is valid.
UserDoesNotHaveAdminRole The error message returned because you do not have administrative rights. Log on to the server on which harbor repositories are deployed and obtain administrative rights.
NetworkConnectError The error message returned because the network connection timed out. Check whether the network can be connected and whether port 80 or port 443 is enabled.

What to do next

After your image repository is added to Security Center, the images in the image repository are protected by Security Center. You can view the information about the images on the the Image tab of the Container page. For more information, see View security information about containers.

You must use Security Center to scan the images in the image repository for risks. For more information, see Scan images.