Before you can use Security Center to scan images, you must add image repositories to Security Center. This topic describes how to add image repositories to Security Center.
You can add the following types of image repositories to Security Center: image repositories of Container Registry, Harbor repositories, and Quay repositories. Harbor repositories and Quay repositories are third-party image repositories.
Add an image repository of Container Registry to Security Center
Container Registry has Enterprise Edition and Personal Edition. You can synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition to Security Center. Security Center can scan the images only of Container Registry Enterprise Edition. You can add image repositories of an Container Registry Personal Edition instance to Security Center after you create the instance. To add image repositories of an Container Registry Enterprise Edition instance to Security Center, you must configure access to the instance over a virtual private cloud (VPC). For more information, see Configure access over VPCs.
You can use the one of the following methods to synchronize the information about the images in the image repositories of both Container Registry Enterprise Edition and Container Registry Personal Edition:
Automatic synchronization: Security Center automatically synchronizes the information in the early morning every day.
Manual synchronization: You can manually synchronize the most recent information. For more information, see View security information about containers.
Add a third-party image repository to Security Center
If you create an access control policy for your image repository, make sure that the access control policy allows access from the IP address pools in the region in which the image repository resides.
View IP address pools from which the access must be allowed
|Region||Public IP address||Private IP address|
|China (Shanghai)||18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 184.108.40.206||100.104.43.0/26|
|China (Hong Kong)||220.127.116.11||100.104.130.128/26|
|US (Silicon Valley)||18.104.22.168||100.104.145.64/26|
If your third-party image service is deployed in a data center and connected over VPCs, you must forward the traffic destined for the image service. In this case, you must use an Elastic Compute Service (ECS) instance to forward the traffic to the server in the data center in which the third-party image service is deployed.
In the following command examples, the traffic on Port A of the ECS instance is forwarded to Port B of the on-premises server that uses the IP address of 192.168.XX.XX.
Command examples for CentOS 7
firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>
Enable port forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
Configure port forwarding.
iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>
Command example for Windows
netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX> connectport=<Port B> protocol=tcp
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Image tab of the Container page, click Integrate in the Third-party Image Warehouse section.
In the Integrate image repository panel, configure the following parameters and click OK.
Private repository type
The type of the third-party image repository. Valid values: harbor and quay.
The version of the third-party image repository. Valid values: Valid values:
V1: If the version of the image repository is 1.X.X, select this option.
V2: If the version of the image repository is 2.X.X or later, select this option.
The protocol that you want Security Center to use to communicate with the third-party image repository. Valid values:
The network type of the third-party image repository. Valid values:
The ID of the region in which the third-party image repository resides.
The IP address of the third-party image repository. If you have configured traffic forwarding rules for your image service, you must set the IP parameter to the IP address of the ECS instance that forwards the traffic destined for the image service.
The domain name of the third-party image repository.
The number of images that can be added to Security Center per hour. Default value: 10.Important
If a large number of images are added per hour, your services may be adversely affected. In most cases, we recommend that you do not set this parameter to Unlimited.
The username of the account that has administrative rights and is used to access the third-party image repository.
The password of the account.
Quay namespace information
This parameter is required only if you set Private repository type to quay.
In the Image warehouse organization field, enter the name of the organization to which the image repository belongs. In the Auth_token field, enter the Auth_token that corresponds to the organization.
You can click Add to configure organizations of multiple image repositories.
After the third-party image repository is added to Security Center, you can click Scan Settings on the Image Security page to view the information about the added image repository in the panel that appears.Scan Settings
The error message returned because the username or password is invalid.
Check whether the username and password are correct.
The error message returned because the version of the image repository is invalid.
Check whether the version of the image repository is valid.
The error message returned because you do not have administrative rights.
Log on to the server on which harbor repositories are deployed and obtain administrative rights.
The error message returned because the network connection timed out.
Check whether the network can be connected and whether port 80 or port 443 is enabled.
What to do next
After your image repository is added to Security Center, the images in the image repository are protected by Security Center. You can view the information about the images on the Image tab of the Container page. For more information, see View security information about containers.
You must use Security Center to scan the images in the image repository for risks. For more information, see Scan images.