All Products
Search
Document Center

Security Center:Overview

Last Updated:Sep 30, 2024

The container image scan feature can manage container images and detect security risks in a comprehensive manner. The risks include high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in images. The feature also supports quick fixing of detected image system vulnerabilities. You can use the feature to manage and ensure image security to protect related systems and data.

Limits

Container image scan is a value-added feature of Security Center and must be separately purchased. Only users of the Advanced, Enterprise, Ultimate, and Value-added Plan editions can purchase container image scan.

Supported regions

Only the Container Registry instances in the following regions support the container image scan feature.

Area

Supported region

China

  • China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), and China (Ulanqab)

  • China (Shenzhen), China (Heyuan), and China (Guangzhou)

  • China (Hangzhou) and China (Shanghai)

  • China (Chengdu)

  • China (Hong Kong)

  • China East 2 Finance, China South 1 Finance, China North 2 Finance, and China North 2 Ali Gov 1

Outside China

  • Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney) (Closing down), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok)

  • Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

Items that can be detected

Item

Description

Suggestion

Image system vulnerability

The container image scan feature can detect vulnerabilities that may affect the security of the container environment, such as operating system vulnerabilities and third-party software vulnerabilities in images.

We recommend that you fix image system vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions that are provided by Security Center.

Image application vulnerability

The container image scan feature can detect application vulnerabilities in images. The vulnerabilities can cause security issues such as unauthorized access, code injection, and denial-of-service (DoS) attacks.

We recommend that you fix image application vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions provided by Security Center.

Image baseline risk

The container image scan feature can check whether images conform to security configuration specifications and best practices.

We recommend that you handle image baseline risks at the earliest opportunity based on the baseline check details that are provided by Security Center.

Malicious image sample

The container image scan feature can detect malicious files, malicious code, and malicious behavior in images and during container runtime.

We recommend that you handle malicious file samples at the earliest opportunity based on the information provided by Security Center. The information includes paths to malicious files.

Sensitive image file

The container image scan feature can detect common sensitive files, which include but are not limited to the following items:

  • Application configurations that contain sensitive information

  • General certificate keys

  • Application identity or logon credentials

  • Credentials for cloud server providers

We recommend that you estimate risks based on the suggestions provided by Security Center, remove sensitive information at the earliest opportunity, and then recreate images.

Image build command risks

The container image scan feature can detect image build command risks, which include but are not limited to the following items:

  • Deprecated MAINTAINER command

  • User not specified when you create an image by using the USER command

  • Running of applications by using the root user

  • ADD

  • Including sensitive data in ENV variables when you create an image

  • Disabling certificate verification by configuring the NODE_TLS_REJECT_UNAUTHORIZED environment variable

  • apt used with the RUN command for Docker files

We recommend that you handle the image build command risks based on the risk description provided by Security Center and then recreate images.

Important

The container image scan feature supports quick fixing of image system vulnerabilities. To handle other image risks, manually fix the risks based on the suggestions included in the risk details. For more information, see Handle detected image risks.

Supported operating systems and versions

Operating system

Operating system version that supports risk detection

Operating system version that supports risk fixing

Red Hat

  • Red Hat 5

  • Red Hat 6

  • Red Hat 7

None

CentOS

  • CentOS 5

  • CentOS 6

  • CentOS 7

  • CentOS 7

  • CentOS 8

Ubuntu

  • Ubuntu 12.04

  • Ubuntu 14.04

  • Ubuntu 16.04

  • Ubuntu 18.04

  • Ubuntu 18.10

  • Ubuntu 14

  • Ubuntu 16

  • Ubuntu 18

Debian

  • Debian 6

  • Debian 7

  • Debian 8

  • Debian 9

  • Debian 10

  • Debian 9

  • Debian 10

Alpine

  • Alpine 2.3

  • Alpine 2.4

  • Alpine 2.5

  • Alpine 2.6

  • Alpine 2.7

  • Alpine 3.1

  • Alpine 3.2

  • Alpine 3.3

  • Alpine 3.4

  • Alpine 3.5

  • Alpine 3.6

  • Alpine 3.7

  • Alpine 3.8

  • Alpine 3.9

  • Alpine 3.10

  • Alpine 3.11

  • Alpine 3.12

Alpine 3.9

Amazon Linux

  • Amazon Linux 2

  • Amazon Linux AMI

None

Oracle Linux

  • Oracle Linux 5

  • Oracle Linux 6

  • Oracle Linux 7

  • Oracle Linux 8

None

SUSE Linux Enterprise Server

  • SUSE Linux Enterprise Server 5

  • SUSE Linux Enterprise Server 6

  • SUSE Linux Enterprise Server 7

  • SUSE Linux Enterprise Server 8

  • SUSE Linux Enterprise Server 9

  • SUSE Linux Enterprise Server 10

  • SUSE Linux Enterprise Server 10 SP4

  • SUSE Linux Enterprise Server 11 SP3

  • SUSE Linux Enterprise Server 12 SP2

  • SUSE Linux Enterprise Server 12 SP5

None

Fedora Linux

  • Fedora Linux 2X

  • Fedora Linux 3X

None

openSUSE

  • openSUSE 10.0

  • openSUSE Leap 15.2

  • openSUSE Leap 42.3

None

Use process

  1. Enable container image scan: If you purchase the container image scan feature, you are charged based on the quota specified by Container Image Scan. You must enable the feature and set Container Image Scan to an appropriate value.

  2. Scan images: Configure the image scan scope based on your business requirements. You can manually initiate an immediate image scan or configure a periodic image scan.

  3. View and handle detected image risks: View the image scan results and handle the risks based on the fixing instructions.

References