The container image scan feature can manage container images and detect security risks in a comprehensive manner. The risks include high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in images. The feature also supports quick fixing of detected image system vulnerabilities. You can use the feature to manage and ensure image security to protect related systems and data.
Limits
Container image scan is a value-added feature of Security Center and must be separately purchased. Only users of the Advanced, Enterprise, Ultimate, and Value-added Plan editions can purchase container image scan.
Supported regions
Only the Container Registry instances in the following regions support the container image scan feature.
Area | Supported region |
China |
|
Outside China |
|
Items that can be detected
Item | Description | Suggestion |
Image system vulnerability | The container image scan feature can detect vulnerabilities that may affect the security of the container environment, such as operating system vulnerabilities and third-party software vulnerabilities in images. | We recommend that you fix image system vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions that are provided by Security Center. |
Image application vulnerability | The container image scan feature can detect application vulnerabilities in images. The vulnerabilities can cause security issues such as unauthorized access, code injection, and denial-of-service (DoS) attacks. | We recommend that you fix image application vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions provided by Security Center. |
Image baseline risk | The container image scan feature can check whether images conform to security configuration specifications and best practices. | We recommend that you handle image baseline risks at the earliest opportunity based on the baseline check details that are provided by Security Center. |
Malicious image sample | The container image scan feature can detect malicious files, malicious code, and malicious behavior in images and during container runtime. | We recommend that you handle malicious file samples at the earliest opportunity based on the information provided by Security Center. The information includes paths to malicious files. |
Sensitive image file | The container image scan feature can detect common sensitive files, which include the following items:
| We recommend that you estimate risks based on the suggestions provided by Security Center, remove sensitive information at the earliest opportunity, and then recreate images. |
The container image scan feature supports quick fixing of image system vulnerabilities. For other risks, you can manually fix them based on the suggestions included in the risk details.
Supported operating systems and versions
Operating system | Operating system version that supports risk detection | Operating system version that supports risk fixing |
Red Hat |
| None |
CentOS |
|
|
Ubuntu |
|
|
Debian |
|
|
Alpine |
| Alpine 3.9 |
Amazon Linux |
| None |
Oracle Linux |
| None |
SUSE Linux Enterprise Server |
| None |
Fedora Linux |
| None |
openSUSE |
| None |
References
For more information about the vulnerability management of servers, see Vulnerability management.
For more information about how to view the scan results of Elastic Compute Service (ECS) images, see View image scan results.