The image security scan feature in Security Center helps you detect image vulnerabilities, baseline risks, malicious samples, and sensitive files to ensure a secure runtime environment. This topic describes how to run an image security scan.
Prerequisites
You have enabled Container Image Scan and purchased sufficient container image scan authorizations. For more information, see Enable the container image scan feature.
You have purchased a Container Registry Enterprise Edition instance or added a private image repository. For more information, see Create a Container Registry Enterprise Edition instance and Add an image repository.
If your Enterprise instance is configured for a VPC, the VPC must meet specific region and zone requirements. To enable scanning, you must select a vSwitch in a supported region and zone. See Supported regions and zones for the complete list.
Background
The base system software, middleware, web applications, and databases on an image may contain vulnerabilities, such as mining trojans and backdoors, that can compromise your assets.
Security Center can scan images for system vulnerabilities, application vulnerabilities, baseline risks, malicious samples, sensitive files, and risks in build instructions. For more information, see Image security features.
Usage
Scannable repositories: Container Registry Enterprise Edition image repositories that you created and Harbor, Quay, and GitLab image repositories that you added to Security Center.
Scan scope: By default, image security scans cover all image repositories and check items. You can configure the scan scope, including specific image repositories, baseline check items, a vulnerability whitelist, a sensitive file type whitelist, and an at-risk file whitelist. For more information, see Step 1: Configure the image security scan scope.
Scan method: Perform an immediate image security scan (manual scan) and Configure a periodic image security scan (periodic scan).
Both manual and periodic scans use the configured scan scope.
Quota consumption: Security Center identifies an image by its digest. If an image's digest is unchanged, the first scan consumes one quota authorization. Subsequent scans of an image with a changed digest consume additional authorizations.
Before performing an image security scan, ensure that you have sufficient Container Image Scan authorizations. For more information, see Enable the Container Image Scan service.
Scan duration: To ensure the stability of scan tasks, Security Center sets the timeout period for each image scan task to 4 hours. This value cannot be changed. A scan task times out after 4 hours and stops, even if it has not finished scanning all specified image repositories.
NoteTo improve scan efficiency, specify the target image repositories before scanning. For Harbor image repositories, you can also configure a Speed Limit. For more information, see the Manage image repositories section in this topic.
Step 1: Configure the image scan scope
The configured scan scope applies to both manual and periodic scans.
Log on to the Security Center console. In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
In the upper-right corner of the Container Image Scan page, click Scan Settings.
Click a feature tab to configure the scan scope for the image scan task.
Scan parameters
Parameter
Description
Consumed Quota/Purchased Quota
Displays the used and purchased quota for container image scans. If your quota is low, click Scale Out to purchase more.
Scan Cycle
Select a frequency for container image scans. This parameter applies only to periodic scans.
Scan Scope
Specify the image repositories to scan. Perform the following steps:
Click Manage to the right of Scan Scope.
In the Image Management dialog box, select the checkboxes of the image repositories that you want to scan.
By default, Automatically Adds New Image Repositories for Scan is enabled in the upper-right corner of the repository list. This means that if new image repositories are added, they are automatically included in the scan scope for periodic scans. You can click the switch
to disable this feature.Click Confirm.
Scan Time Range
Select a time range for the image vulnerability scan.
ImportantThe scan time range is determined by the local update time of an image. If the update time is unavailable, the local creation time of the image is used. The time range determines whether an image is scanned.
For example, if you set the scan time range to Last 7 Days, Security Center scans images that were updated within the last 7 days.
If an update time is available but the image was last updated more than 7 days ago, the scan succeeds, but reports that zero images were scanned.
If no update time is available and the image was created more than 7 days ago, the image is not scanned.
Vulnerability Retention Period
Specify the retention period for the results of periodic vulnerability scans. Security Center automatically deletes scan results that are older than the retention period.
Image repositories
You can click the Image Repository tab to view the list of scannable Container Registry Enterprise Edition instances (repository type: acr) and connected private image repositories (repository types: harbor, quay, gitlab, and others).
NoteSecurity Center automatically synchronizes Container Registry Enterprise Edition instances under your Alibaba Cloud account to the image repository list. You cannot remove Container Registry Enterprise Edition instances from the list.
You can click Task Management in the upper-right corner of the Container Image Scan page and go to the Container Asset Synchronization and Synchronize Image Asset tabs to view the asset synchronization progress and status.
To scan a private image repository that is not in the list, click Add Image Repository to connect your private image repository. For more information, see Connect an image repository.
To remove a private image repository from the scan list, click Remove in its Actions column and then click Confirm in the confirmation message.
NoteThe two default image repositories (repository types: acr and defaultAcr) in the list cannot be removed.
For a harbor image repository, you can click Edit in the Actions column to configure Speed Limit for the image scan to improve scan efficiency. Throttling specifies the number of images that can be scanned per hour. The default value is 10.
For example, a harbor image repository contains 200 images. If you use the default throttling setting, the scan takes 20 hours to complete. However, the global timeout period for each scan task is 4 hours, which means not all images can be scanned. If you set the throttling value to 200, the scan completes in only 1 hour. You can configure this parameter based on your business requirements and network conditions.
Image baseline scan
You can configure check items for the image baseline scan when you set up image vulnerability scans.
In the Scan Settings panel, click the Baseline Configuration Management tab.
Click Manage to the right of Scan Scope.
In the Baseline Check Scope panel, select the baselines that you want to check, and then click OK.
ImportantThe AccessKey Stored in Plaintext and Password Leak baseline checks in the Baseline Check Scope panel correspond to AccessKey Leak Detection and Password Leak Detection, respectively. If you select the AccessKey Stored in Plaintext and Password Leak baselines in the Baseline Check Scope panel, the switches for AccessKey Leak Detection and Password Leak Detection under Baseline Configuration Management are automatically enabled. You do not need to set them again. You can also use the switches next to AccessKey Leak Detection and Password Leak Detection to quickly enable or disable these two baselines.
After the configuration is complete, Security Center checks the baseline configurations of your images during a Scan Now operation or a scheduled periodic scan.
Runtime image scan
The container runtime image scan feature helps you detect security risks in your container runtime environment.
ImportantThe container runtime image scan feature supports only manual scans, not periodic scans.
Log on to the Security Center console. In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
In the upper-right corner of the page, click Scan Settings.
In the Scan Settings panel, click the Container Runtime Image Scan tab.
Click Configure Scan Scope. In the dialog box that appears, select the cluster and applications to scan, and then click Confirm.
Click Scan Now.
You can view the scan progress on the Container Runtime Image Scan tab in the Tasks panel. After the scan is complete, view the detected vulnerabilities on the Image Vulnerability tab of the Container Image Scan page.
Sensitive file scan
The sensitive file scan for images feature detects sensitive data within your image files, including in common and custom file types. Examples of sensitive data include application configurations, generic certificates and keys, authentication credentials, and cloud service provider credentials. Promptly addressing detected sensitive data improves the security of your image runtime environment.
ImportantThis feature supports only static image scanning, not runtime detection.
In the Scan Settings panel, click the Sensitive File Scan Settings tab.
Click Manage to the right of Scope.
In the Sensitive File Scan Settings panel, select the check items that you want to scan.
Turn the sensitive file detection switch on or off.
If you enable this feature, a sensitive file scan is also performed during a Scan Now operation or a scheduled periodic scan.
At-risk file whitelist
If you do not want to receive alerts for risks related to sensitive image files, image build instructions, or malicious image samples, you can add the corresponding alert types to a whitelist. The system does not detect whitelisted risks.
NoteThe at-risk file whitelist displays the alert types and image repositories that have been added to the whitelist from the Malicious Image Sample, Sensitive Image File, and Image Build Command Risks lists. For more information, see Remediate image scan risks.
You must run a scan at least once before you can configure the at-risk file whitelist.
In the Scan Settings panel, click the Configure Whitelist for At-risk Files tab.
Configure the whitelist for at-risk files.
Edit a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find the target alert type, click Edit in the Actions column, and then select a rule scope: All Image Repositories or Current Image Repository Only (select the image repositories that you want to add to the whitelist).
Delete a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find the target alert type and click Delete in the Actions column to delete the rule. After a rule is deleted from the whitelist, Security Center resumes detecting the related risks and generating alerts.
Image fixing
Security Center supports automatic fixing of system vulnerabilities in image repositories of Container Registry Enterprise Edition. You can enable automatic fixing and configure parameters such as the fixing period and scope.
In the Scan Settings panel, click the Image Risk Fixing Configuration tab.
Click the Fixing Configuration switch to enable or disable automatic fixing.
If you enable this feature, you can configure the Fixing Period, Fixing Scope (image repositories of Container Registry Enterprise Edition), and Time Range (images that are updated within the specified time range are fixed).
ImportantThe fixing time range is determined by the update time of an image. If the update time is unavailable, the creation time of the image is used. The time range determines whether an image is fixed. For example, if you set the time range to Last 7 Days, Security Center fixes images that were updated within the last 7 days. Images that were updated more than 7 days ago are not fixed.
After you perform the Scan Now operation or after a configured periodic scan runs, system vulnerabilities in the target image are regularly identified and fixed based on the remediation cycle that you set.
You can click Task Management in the upper-right corner of the Container Image Scan page and go to the Image Risk Fixing tab in the Task Management panel to view the fixing status of system vulnerabilities in images.
Vulnerability whitelist
If you do not need to scan for a specific image vulnerability, you can add the vulnerability to a whitelist. The system does not detect whitelisted vulnerabilities.
In the Scan Settings panel, click the Vulnerability Whitelist Settings tab.
Configure the vulnerability whitelist.
Create a rule: Click Create Rule to add custom whitelist rules for different vulnerability types.
Edit a rule: Find the rule that you want to edit, click Edit in the Actions column, and then modify the Applied Assets, Select Image, and Description of the rule.
Delete a rule: Find the rule that you want to delete and click Delete in the Actions column. After a rule is deleted, Security Center resumes detecting the corresponding vulnerability and generating alerts.
Click the close icon
in the upper-right corner of the panel to close the Scan Settings panel.
Step 2: Run a container image scan
After you configure the scan scope, both manual scans and periodic scans run based on the settings in the Scan Settings panel.
The first time you run a container image scan, Security Center automatically creates a reverse endpoint in the VPC that is configured for the image. This reverse endpoint allows the Security Center service to access the Container Registry Enterprise Edition instance in your VPC. Do not delete the reverse endpoint. For more information, see Description of automatically created reverse endpoints.
Run a manual scan
To scan your images immediately, run a manual scan.
The Scan Now action scans all image repositories that are connected to Security Center by default. You can first configure the scan scope in the Scan Settings panel and then manually start a scan. The scan scope includes settings such as the image repositories to scan, container runtime scan configurations, and vulnerability whitelist configurations. For more information, see Step 1: Configure the container image scan scope in this topic.
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Container Image Scan page, click Scan Now.
In the Quick Scan dialog box, all image types are selected by default. Clear the checkboxes for the image types that you do not want to scan and click Confirm.
The following types are supported:
ACR: Security Center checks the Enterprise instances that you created in the ACR console for security risks.
Harbor, Quay, GitLab: Security Center scans the private image repositories that you have added for security risks.
Container: Security Center immediately runs a container runtime image scan based on your container runtime scan settings.
Security Center displays these types only if you have configured them.
You can also click Configure Scan Scope. In the Scan Settings panel, configure the scan scope settings, and then repeat the preceding step to reopen the Quick Scan dialog box. For more information, see Step 1: Configure the container image scan scope in this topic.
Scan results appear in about one minute. You can then refresh the page to view the results in the risk list.
Configure periodic scans
By default, Security Center automatically scans your container assets for image vulnerabilities or malicious samples based on the scan cycle specified in the Scan Settings panel. You can modify the scan cycle for image vulnerabilities.
Log on to the Security Center console. In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the upper-right corner of the Container Image Scan page, click Scan Settings.
On the Scan Settings tab, set the Scan Cycle.
After you configure the scan cycle, Security Center scans your images according to your configuration. For more information, see Step 1: Configure the container image scan scope in this topic.
Step 3: View image scan progress and status
In the upper-right corner of the Container Image Scan page, click Task Management.
In the Task Management panel, click the Image Scan tab.
Click Details in the Actions column to view the task's execution log.
For example, for a failed task, you can identify the problematic image and the cause of the failure.
Next steps
After running an image security scan, you can view the scan results. For more information, see View and remediate image risks.
Appendix
Automatically created reverse endpoints
When you run an image security scan for the first time, Security Center automatically creates a reverse endpoint in the VPC configured for the image. This endpoint allows the Security Center service to access the Container Registry Enterprise Edition instance in your VPC. Do not delete this endpoint. For more information about reverse endpoints, see How it works.
The reverse endpoint does not incur fees or affect any Alibaba Cloud products. If Security Center has not run an image security scan in a VPC for one month, it automatically deletes the reverse endpoint in that VPC. The next time you run a scan, Security Center automatically creates a new reverse endpoint. No action is required.
Regions and zones
The following tables list the regions and zones for the VPCs and vSwitches required to use the image security scan feature with Container Registry Enterprise Edition instances. If a VPC and a vSwitch are not in these lists, the image security scan feature is unavailable for the Enterprise Edition instance.
public cloud
Region name
Region ID
Number of zones
Zone name
Zone ID
China (Qingdao)
cn-qingdao
2
Qingdao Zone B
cn-qingdao-b
Qingdao Zone C
cn-qingdao-c
China (Beijing)
cn-beijing
10
Beijing Zone C
cn-beijing-c
Beijing Zone D
cn-beijing-d
Beijing Zone E
cn-beijing-e
Beijing Zone F
cn-beijing-f
Beijing Zone G
cn-beijing-g
Beijing Zone H
cn-beijing-h
Beijing Zone I
cn-beijing-i
Beijing Zone J
cn-beijing-j
Beijing Zone K
cn-beijing-k
Beijing Zone L
cn-beijing-l
China (Zhangjiakou)
cn-zhangjiakou
3
Zhangjiakou Zone A
cn-zhangjiakou-a
Zhangjiakou Zone B
cn-zhangjiakou-b
Zhangjiakou Zone C
cn-zhangjiakou-c
China (Hohhot)
cn-huhehaote
2
Hohhot Zone A
cn-huhehaote-a
Hohhot Zone B
cn-huhehaote-b
China (Ulanqab)
cn-wulanchabu
3
Ulanqab Zone A
cn-wulanchabu-a
Ulanqab Zone B
cn-wulanchabu-b
Ulanqab Zone C
cn-wulanchabu-c
China (Hangzhou)
cn-hangzhou
7
Hangzhou Zone B
cn-hangzhou-b
Hangzhou Zone F
cn-hangzhou-f
Hangzhou Zone G
cn-hangzhou-g
Hangzhou Zone H
cn-hangzhou-h
Hangzhou Zone I
cn-hangzhou-i
Hangzhou Zone J
cn-hangzhou-j
Hangzhou Zone K
cn-hangzhou-k
China (Shanghai)
cn-shanghai
8
Shanghai Zone A
cn-shanghai-a
Shanghai Zone B
cn-shanghai-b
Shanghai Zone E
cn-shanghai-e
Shanghai Zone F
cn-shanghai-f
Shanghai Zone G
cn-shanghai-g
Shanghai Zone L
cn-shanghai-l
Shanghai Zone M
cn-shanghai-m
Shanghai Zone N
cn-shanghai-n
China (Shenzhen)
cn-shenzhen
4
Shenzhen Zone C
cn-shenzhen-c
Shenzhen Zone D
cn-shenzhen-d
Shenzhen Zone E
cn-shenzhen-e
Shenzhen Zone F
cn-shenzhen-f
China (Heyuan)
cn-heyuan
2
Heyuan Zone A
cn-heyuan-a
Heyuan Zone B
cn-heyuan-b
China (Guangzhou)
cn-guangzhou
2
Guangzhou Zone A
cn-guangzhou-a
Guangzhou Zone B
cn-guangzhou-b
China (Chengdu)
cn-chengdu
2
Chengdu Zone A
cn-chengdu-a
Chengdu Zone B
cn-chengdu-b
China (Hong Kong)
cn-hongkong
3
Hong Kong Zone B
cn-hongkong-b
Hong Kong Zone C
cn-hongkong-c
Hong Kong Zone D
cn-hongkong-d
Singapore
ap-southeast-1
3
Singapore Zone A
ap-southeast-1a
Singapore Zone B
ap-southeast-1b
Singapore Zone C
ap-southeast-1c
Malaysia (Kuala Lumpur)
ap-southeast-3
3
Kuala Lumpur Zone A
ap-southeast-3a
Kuala Lumpur Zone B
ap-southeast-3b
Kuala Lumpur Zone C
ap-southeast-3c
Indonesia (Jakarta)
ap-southeast-5
3
Jakarta Zone A
ap-southeast-5a
Jakarta Zone B
ap-southeast-5b
Jakarta Zone C
ap-southeast-5c
Philippines (Manila)
ap-southeast-6
1
Manila Zone A
ap-southeast-6a
Thailand (Bangkok)
ap-southeast-7
2
Bangkok Zone A
ap-southeast-7a
Bangkok Zone B
ap-southeast-7b
Japan (Tokyo)
ap-northeast-1
3
Tokyo Zone A
ap-northeast-1a
Tokyo Zone B
ap-northeast-1b
Tokyo Zone C
ap-northeast-1c
South Korea (Seoul)
ap-northeast-2
2
Seoul Zone A
ap-northeast-2a
Seoul Zone B
ap-northeast-2b
US (Silicon Valley)
us-west-1
2
Silicon Valley Zone A
us-west-1a
Silicon Valley Zone B
us-west-1b
US (Virginia)
us-east-1
2
Virginia Zone A
us-east-1a
Virginia Zone B
us-east-1b
Germany (Frankfurt)
eu-central-1
3
Frankfurt Zone A
eu-central-1a
Frankfurt Zone B
eu-central-1b
Frankfurt Zone C
eu-central-1c
UK (London)
eu-west-1
2
London Zone A
eu-west-1a
London Zone B
eu-west-1b
Finance Cloud
Region name
Region ID
City
Number of zones
Zone name
Zone ID
China (Shanghai) Finance Cloud
shanghai-finance-1
Shanghai
4
Zone F
cn-shanghai-finance-1f
Zone G
cn-shanghai-finance-1g
Zone K
cn-shanghai-finance-1k
Zone Z
cn-shanghai-finance-1z
China (Shenzhen) Finance Cloud
cn-shenzhen-finance-1
Shenzhen
2
Zone D
cn-shenzhen-finance-1d
Zone E
cn-shenzhen-finance-1e
China (Beijing) Finance Cloud (Invitational Preview)
cn-beijing-finance-1
Beijing
2
Zone K
cn-beijing-finance-1k
Zone L
cn-beijing-finance-1l
Gov Cloud
Region name
Region ID
City
Number of zones
Zone name
Zone ID
China (Beijing) Gov Cloud 1
cn-north-2-gov-1
Beijing
3
China (Beijing) Gov Cloud 1 Zone B
cn-north-2-gov-1b
China (Beijing) Gov Cloud 1 Zone C
cn-north-2-gov-1c
China (Beijing) Gov Cloud 1 Zone D
cn-north-2-gov-1d