Security Center provides the feature of container image scan. You can use the feature to check whether vulnerabilities, baseline risks, malicious samples, and sensitive files exist in your images. This ensures a secure runtime environment for your images. This topic describes how to scan images.

Prerequisites

Background information

Vulnerabilities may exist in the basic system software, middleware, web applications, and databases that are in your images. The vulnerabilities include mining trojans and backdoor programs, which pose threats to your assets. Security Center allows you to immediately scan images or configure a cycle to scan for image vulnerabilities. For more information, see Immediately scan images and Configure a cycle to scan for image vulnerabilities.
Important If your images have been changed, the number of times specified by Container Image Scan is deducted when you scan images. An image is considered changed when the digest value of the image changes. Before you scan images, make sure that Container Image Scan is set to an appropriate value based on your business requirements.

Immediately scan images

To immediately scan images, click Scan Now on the Image Security page. In the One-Click Scan dialog box, select the type of the images that you want to scan and click Confirm. The following types of image repositories can be scanned:
  • ACR: If you select acr in the dialog box, Security Center checks whether risks exist in your Container Registry Enterprise Edition instance that is created in the Container Registry console.
  • Harbor: If you select harbor in the dialog box, Security Center checks whether risks exist in the Harbor image repositories that you added to Security Center.

The scan takes approximately 1 minute. After 1 minute, you can refresh the Image security scan tab and view the scan results in the list of image risks.

Configure a cycle to scan for image vulnerabilities

To enable automatic and periodic scans for image vulnerabilities and malicious samples, perform the following operations to configure a scan cycle:

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. In the upper-right corner of the Image Security page, click Scan Settings.
  3. On the Scan Configurations tab of the Scan Settings panel, configure the parameters.
    ParameterDescription
    Number of Authorizations Consumed/Total AuthorizationsThe number of image scans that are performed and the total number of image scans that are allowed. If the number of image scans that are allowed is near exhaustion, you can click Expand to configure Container Image Scan on the Upgrade/Downgrade page.
    Scan cycleThe cycle at which you want to scan your images.
    Scan ScopeThe scope of images that you want to scan. To select the scope, perform the following steps:
    1. Click Manage to the right of Scan Scope.
    2. In the Image management dialog box, select the image repository that you want to scan.
    3. Click OK.
    Scan Time RangeThe time range for the images that you want to scan.
    Important The last update time of an image is used to evaluate whether the image meets the specified time range condition. If an image is not updated, the creation time of the image is used to evaluate whether the image meets the specified time range condition. If you set this parameter to Last 7 days, Security Center scans the images that are updated within the last seven days. The images that are updated more than seven days ago are not scanned.
    Vulnerability retention durationThe retention period for detected vulnerabilities. Security Center automatically deletes detected vulnerabilities after the specified retention period.
    After the parameters are configured, Security Center scans your images based on the configurations.

Manage image repositories

You can click the Image repository tab in the Scan Settings panel to view the Container Registry Enterprise Edition instances that support container image scan and the third-party image repositories that you added to Security Center. The Container Registry instances use the image repositories of the acr type. The third-party image repositories are of the harbor type.
Note Security Center automatically adds Container Registry Enterprise Edition instances within the current Alibaba Cloud account to the image repository list. You cannot remove the Container Registry Enterprise Edition instances from the image repository list.
  • If you want to scan the third-party image repositories that are not displayed on the Image repository tab, you can click Integrate image repository to go to the Integrate image repository panel and add your third-party image repositories to Security Center. For more information, see Add image repositories to Security Center.
  • If you do not want to scan a third-party image repository that is displayed on the Image repository tab, you can click Remove in the Operation column for the image repository. In the message that appears, click OK to remove the image repository.
    Note The default image repositories that are displayed on the image repository tab cannot be deleted. The types of the default image repositories are acr and defaultAcr.
  • When you scan images in a Harbor image repository, you can specify the speed for image scans. To specify the speed for image scans, find a Harbor image repository and click Edit in the Operation column. In the panel that appears, configure the Speed Limit parameter. This improves the efficiency of image scans. The Speed Limit parameter indicates the number of images that can be scanned within 1 hour. The default value is 10. If you retain the default value and the Harbor image repository contains 200 images, the image scan task requires 20 hours to complete. If you set the Speed Limit parameter to 200, the scan task requires 1 hour to complete.

Configure baseline checks for images

After you configure a cycle to scan your images for vulnerabilities, you can also configure the baseline checks of the images.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. In the upper-right corner of the Image Security page, click Scan Settings.
  3. In the Scan Settings panel, click the Baseline Configuration Management tab.
  4. Click Management to the right of Configuration Scope.
  5. In the Baseline check scope panel, select the baselines that you want to check.
    Important The baselines that are specified for the Accesskey Leakage Detection and Password leakage check parameters below Configuration Scope are the same as those in the Access Key Leakage and Password leakage sections in the Baseline check scope panel. If you select baselines in the Access Key Leakage and Password leakage sections in the Baseline check scope panel, the switches for the Accesskey Leakage Detection and Password leakage check parameters below Configuration Scope are turned on. You do not need to configure these parameters. You can also turn on or off the switches for the Accesskey Leakage Detection and Password leakage check parameters to enable or disable the baseline checks.
  6. Click Confirm.
    After the configurations are complete, Security Center scans your images and checks the baselines of the images.

Immediately run a container runtime image scan

The feature of container runtime image scan can help you detect security risks when containers are started. The feature supports only manual scan tasks. Periodic scan tasks are not supported.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. In the upper-right corner of the Image Security page, click Scan Settings.
  3. In the Scan Settings panel, click the Container Runtime Image Scan tab.
  4. Select the cluster that you want to scan and click Scan Now below the cluster list.
    After you run a scan, you can view the scan progress on the Container Runtime Image Scan tab of the Task management panel. After the scan is complete, you can view the detected vulnerabilities on the Image Vulnerability tab of the Image Security page.

Configure sensitive file scan for images

The sensitive file scan feature allows you to detect sensitive data in common sensitive files and custom image files. The feature supports various types of common sensitive files, including application configurations that contain sensitive information, general private keys of certificates, credentials for application authentication or logons, and credentials for cloud server providers. You can handle the sensitive data that is detected at the earliest opportunity to improve the security of the image runtime environment.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. On the Image Security page, click Scan Settings in the upper-right corner.
  3. In the Scan Settings panel, click the Sensitive File Scan Settings tab.
  4. Turn on or turn off Enable Sensitive File Detection.
    If you turn on Enable Sensitive File Detection, a sensitive file scan task immediately starts after you click Scan now or when a periodic scan task that you configured starts.

Configure a vulnerability whitelist

If you do not want to scan for a image vulnerability, you can add the vulnerability to the vulnerability whitelist. Security Center does not detect the vulnerabilities in the vulnerability whitelist.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. On the Image Security page, click Scan Settings in the upper-right corner.
  3. In the Scan Settings panel, click the Vulnerability Whitelist Settings tab.
  4. Configure the vulnerability whitelist.
    • Create a vulnerability whitelist rule: Click Add rules. In the Edit panel, configure an whitelist rule based on a specified vulnerability type.
    • Edit a vulnerability whitelist rule: Find the whitelist rule and click Edit in the Actions column. In the Edit panel, modify the Rule scope and Note parameters.
    • Delete a vulnerability whitelist rule: Find the whitelist rule and click Delete in the Actions column. After you remove a vulnerability from the whitelist, Security Center can detect the vulnerability and generate alerts for the vulnerability.

What to do next

After Security Center scans your images, you can view the scan results. For more information, see View image scan results.