Security Center can scan container images for vulnerabilities, but only after you connect an image repository. This topic explains how to add Container Registry instances and third-party repositories (Harbor, Quay, and GitLab) to Security Center.
Limitations
Security Center supports two categories of image repositories:
Container Registry (Enterprise Edition and Personal Edition): Security Center synchronizes image metadata from both editions, but can only scan images from Enterprise Edition.
Third-party repositories: Harbor, Quay, and GitLab.
Prerequisites
Before you begin, ensure that you have:
The container image scan feature enabled. See Enable container image scan and Purchase Security Center
Add a Container Registry instance
The steps differ slightly by edition:
Personal Edition: Add repositories after creating the Container Registry Personal Edition instance.
Enterprise Edition: Configure a virtual private cloud (VPC) access control list (ACL) for the instance before adding it. See Configure a VPC ACL.
After you add a Container Registry instance, Security Center keeps image metadata up to date in two ways:
Automatic: Security Center syncs image information once per day, in the early morning.
Manual: Trigger a sync on demand. See View security information about containers.
Add a third-party image repository
Before you begin: network access requirements
If your third-party repository has an IP allowlist, add the Security Center IP addresses for the region where your repository is hosted.
| Region | Public IP address | Private IP address |
|---|---|---|
| China (Hangzhou) | 47.96.166.214 | 100.104.12.64/26 |
| China (Shanghai) | 139.224.15.48, 101.132.180.26, 47.100.18.171, 47.100.0.176, 139.224.8.64, 101.132.70.106, 101.132.156.228, 106.15.36.12, 139.196.168.125, 47.101.178.223, and 47.101.220.176 | 100.104.43.0/26 |
| China (Qingdao) | 47.104.111.68 | 100.104.87.192/26 |
| China (Beijing) | 47.95.202.245 | 100.104.114.192/26 |
| China (Zhangjiakou) | 39.99.229.195 | 100.104.187.64/26 |
| China (Hohhot) | 39.104.147.68 | 100.104.36.0/26 |
| China (Shenzhen) | 120.78.64.225 | 100.104.250.64/26 |
| China (Guangzhou) | 8.134.118.184 | 100.104.111.0/26 |
| China (Hong Kong) | 8.218.59.176 | 100.104.130.128/26 |
| Japan (Tokyo) | 47.74.24.20 | 100.104.69.0/26 |
| Singapore | 8.219.240.137 | 100.104.67.64/26 |
| US (Silicon Valley) | 47.254.39.224 | 100.104.145.64/26 |
| US (Virginia) | 47.252.4.238 | 100.104.36.0/26 |
| Germany (Frankfurt) | 47.254.158.71 | 172.16.0.0/20 |
| UK (London) | 8.208.14.12 | 172.16.0.0/20 |
| Indonesia (Jakarta) | 149.129.238.99 | 100.104.193.128/26 |
Set up traffic forwarding (VPC-connected data centers only)
If your third-party image service runs in an on-premises data center connected to Alibaba Cloud over a VPC, Security Center cannot reach it directly. Use an Elastic Compute Service (ECS) instance as a traffic forwarder: Security Center connects to the ECS instance, which forwards requests to your on-premises registry server.
The commands below forward traffic on Port A of the ECS instance to Port B of the on-premises server at 192.168.XX.XX.
CentOS 7 — firewall-cmd
firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>CentOS 7 — iptables
Run the following two commands in order:
Enable IP forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forwardConfigure port forwarding with DNAT:
iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>
Windows
netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX> connectport=<Port B> protocol=tcpReplace <Port A>, <192.168.XX.XX>, and <Port B> with the actual port and IP values for your environment.
Steps
Log in to the Security Center console. In the top navigation bar, select the region of the assets you want to manage: China or Outside China.Log on to the Security Center console.
In the left-side navigation pane, choose Assets > Container.
On the Container page, click the Image tab, then click Add below Add Third-party Image Repository.
In the Add Image Repository panel, configure the following parameters, then click Next.
Parameter Description Private Repository Type The registry type. Valid values: harbor, quay, gitlab. Version The registry version. V1 for version 1.X.X; V2 for version 2.X.X or later. GitLab defaults to V1 and cannot be changed. Communication Type The protocol Security Center uses to connect to the registry. Valid values: http, https. Network Type Internet or VPC. RegionId The region where the third-party repository is hosted. IP The IP address of the repository. If you set up traffic forwarding, enter the IP address of the ECS instance instead. Port The port number. If you set up traffic forwarding, enter the port on the ECS instance (Port A) instead. Domain Name The domain name of the repository. Speed Limit The maximum number of images to sync per hour. Default: 10. Setting this to Unlimited may affect your services — keep the default unless your environment can handle higher throughput. Username The username of the account that has administrative rights and is used to access the third-party image repository. Password The password of the account. Quay Namespace Information (Quay only) Enter the Image Repository Organization name and the corresponding Auth_token. Click Add to include multiple organizations. GitLab Group Information (GitLab only) Enter the Group Information name and the corresponding Access_token. Click Add to include multiple groups.
After the repository is added, verify the connection by navigating to Protection Configuration > Container Protection > Container Image Scan in the left-side navigation pane and clicking Scan Settings in the upper-right corner.
Troubleshooting
| Error code | Message | Solution |
|---|---|---|
| FailedToVerifyUsernameOrPwd | Username or password is invalid. | Check whether the username and password are correct. |
| RegistryVersionError | The version of the image repository is invalid. | Check whether the selected version (V1 or V2) matches your registry version. |
| UserDoesNotHaveAdminRole | You do not have administrative rights. | Log in to the Harbor server and grant the account administrative rights. |
| NetworkConnectError | The network connection timed out. | Check network connectivity and verify that port 80 or port 443 is open. If your repository is VPC-connected, confirm that the traffic forwarding rules are configured correctly. |
What's next
After you add an image repository, Security Center monitors the images it contains. To view image details, go to the Image tab on the Container page. See View security information about containers.
To scan the images for security risks, see Scan images.