All Products
Search
Document Center

Security Center:Configure and run image security scans

Last Updated:Jun 12, 2026

The image security scan feature in Security Center helps you detect image vulnerabilities, baseline risks, malicious samples, and sensitive files to ensure a secure runtime environment. This topic describes how to run an image security scan.

Prerequisites

Background

The base system software, middleware, web applications, and databases on an image may contain vulnerabilities, such as mining trojans and backdoors, that can compromise your assets.

Security Center can scan images for system vulnerabilities, application vulnerabilities, baseline risks, malicious samples, sensitive files, and risks in build instructions. For more information, see Image security features.

Usage

Step 1: Configure the image scan scope

The configured scan scope applies to both manual and periodic scans.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan. In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.

  2. In the upper-right corner of the Container Image Scan page, click Scan Settings.

  3. Click a feature tab to configure the scan scope for the image scan task.

    Scan parameters

    Parameter

    Description

    Consumed Quota/Purchased Quota

    Displays the used and purchased quota for container image scans. If your quota is low, click Scale Out to purchase more.

    Scan Cycle

    Select a frequency for container image scans. This parameter applies only to periodic scans.

    Scan Scope

    Specify the image repositories to scan. Perform the following steps:

    1. Click Manage to the right of Scan Scope.

    2. In the Image Management dialog box, select the checkboxes of the image repositories that you want to scan.

      By default, Automatically Adds New Image Repositories for Scan is enabled in the upper-right corner of the repository list. This means that if new image repositories are added, they are automatically included in the scan scope for periodic scans. You can click the switch image to disable this feature.

    3. Click Confirm.

    Scan Time Range

    Select a time range for the image vulnerability scan.

    Important

    The scan time range is determined by the local update time of an image. If the update time is unavailable, the local creation time of the image is used. The time range determines whether an image is scanned.

    For example, if you set the scan time range to Last 7 Days, Security Center scans images that were updated within the last 7 days.

    • If an update time is available but the image was last updated more than 7 days ago, the scan succeeds, but reports that zero images were scanned.

    • If no update time is available and the image was created more than 7 days ago, the image is not scanned.

    Vulnerability Retention Period

    Specify the retention period for the results of periodic vulnerability scans. Security Center automatically deletes scan results that are older than the retention period.

    Image repositories

    You can click the Image Repository tab to view the list of scannable Container Registry Enterprise Edition instances (repository type: acr) and connected private image repositories (repository types: harbor, quay, gitlab, and others).

    Note
    • Security Center automatically synchronizes Container Registry Enterprise Edition instances under your Alibaba Cloud account to the image repository list. You cannot remove Container Registry Enterprise Edition instances from the list.

    • You can click Task Management in the upper-right corner of the Container Image Scan page and go to the Container Asset Synchronization and Synchronize Image Asset tabs to view the asset synchronization progress and status.

    • To scan a private image repository that is not in the list, click Add Image Repository to connect your private image repository. For more information, see Connect an image repository.

    • To remove a private image repository from the scan list, click Remove in its Actions column and then click Confirm in the confirmation message.

      Note

      The two default image repositories (repository types: acr and defaultAcr) in the list cannot be removed.

    • For a harbor image repository, you can click Edit in the Actions column to configure Speed Limit for the image scan to improve scan efficiency. Throttling specifies the number of images that can be scanned per hour. The default value is 10.

      For example, a harbor image repository contains 200 images. If you use the default throttling setting, the scan takes 20 hours to complete. However, the global timeout period for each scan task is 4 hours, which means not all images can be scanned. If you set the throttling value to 200, the scan completes in only 1 hour. You can configure this parameter based on your business requirements and network conditions.

    Image baseline scan

    You can configure check items for the image baseline scan when you set up image vulnerability scans.

    1. In the Scan Settings panel, click the Baseline Configuration Management tab.

    2. Click Manage to the right of Scan Scope.

    3. In the Baseline Check Scope panel, select the baselines that you want to check, and then click OK.

      Important

      The AccessKey Stored in Plaintext and Password Leak baseline checks in the Baseline Check Scope panel correspond to AccessKey Leak Detection and Password Leak Detection, respectively. If you select the AccessKey Stored in Plaintext and Password Leak baselines in the Baseline Check Scope panel, the switches for AccessKey Leak Detection and Password Leak Detection under Baseline Configuration Management are automatically enabled. You do not need to set them again. You can also use the switches next to AccessKey Leak Detection and Password Leak Detection to quickly enable or disable these two baselines.

    After the configuration is complete, Security Center checks the baseline configurations of your images during a Scan Now operation or a scheduled periodic scan.

    Runtime image scan

    The container runtime image scan feature helps you detect security risks in your container runtime environment.

    Important

    The container runtime image scan feature supports only manual scans, not periodic scans.

    1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan. In the upper-left corner of the console, select the region where the assets that you want to protect are located: Chinese Mainland or Outside Chinese Mainland.

    2. In the upper-right corner of the page, click Scan Settings.

    3. In the Scan Settings panel, click the Container Runtime Image Scan tab.

    4. Click Configure Scan Scope. In the dialog box that appears, select the cluster and applications to scan, and then click Confirm.

    5. Click Scan Now.

    You can view the scan progress on the Container Runtime Image Scan tab in the Tasks panel. After the scan is complete, view the detected vulnerabilities on the Image Vulnerability tab of the Container Image Scan page.

    Sensitive file scan

    The sensitive file scan for images feature detects sensitive data within your image files, including in common and custom file types. Examples of sensitive data include application configurations, generic certificates and keys, authentication credentials, and cloud service provider credentials. Promptly addressing detected sensitive data improves the security of your image runtime environment.

    Important

    This feature supports only static image scanning, not runtime detection.

    1. In the Scan Settings panel, click the Sensitive File Scan Settings tab.

    2. Click Manage to the right of Scope.

    3. In the Sensitive File Scan Settings panel, select the check items that you want to scan.

    4. Turn the sensitive file detection switch on or off.

      If you enable this feature, a sensitive file scan is also performed during a Scan Now operation or a scheduled periodic scan.

    At-risk file whitelist

    If you do not want to receive alerts for risks related to sensitive image files, image build instructions, or malicious image samples, you can add the corresponding alert types to a whitelist. The system does not detect whitelisted risks.

    Note
    • The at-risk file whitelist displays the alert types and image repositories that have been added to the whitelist from the Malicious Image Sample, Sensitive Image File, and Image Build Command Risks lists. For more information, see Remediate image scan risks.

    • You must run a scan at least once before you can configure the at-risk file whitelist.

    1. In the Scan Settings panel, click the Configure Whitelist for At-risk Files tab.

    2. Configure the whitelist for at-risk files.

      • Edit a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find the target alert type, click Edit in the Actions column, and then select a rule scope: All Image Repositories or Current Image Repository Only (select the image repositories that you want to add to the whitelist).

      • Delete a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find the target alert type and click Delete in the Actions column to delete the rule. After a rule is deleted from the whitelist, Security Center resumes detecting the related risks and generating alerts.

    Image fixing

    Security Center supports automatic fixing of system vulnerabilities in image repositories of Container Registry Enterprise Edition. You can enable automatic fixing and configure parameters such as the fixing period and scope.

    1. In the Scan Settings panel, click the Image Risk Fixing Configuration tab.

    2. Click the Fixing Configuration switch to enable or disable automatic fixing.

    3. If you enable this feature, you can configure the Fixing Period, Fixing Scope (image repositories of Container Registry Enterprise Edition), and Time Range (images that are updated within the specified time range are fixed).

      Important

      The fixing time range is determined by the update time of an image. If the update time is unavailable, the creation time of the image is used. The time range determines whether an image is fixed. For example, if you set the time range to Last 7 Days, Security Center fixes images that were updated within the last 7 days. Images that were updated more than 7 days ago are not fixed.

      After you perform the Scan Now operation or after a configured periodic scan runs, system vulnerabilities in the target image are regularly identified and fixed based on the remediation cycle that you set.

      You can click Task Management in the upper-right corner of the Container Image Scan page and go to the Image Risk Fixing tab in the Task Management panel to view the fixing status of system vulnerabilities in images.

    Vulnerability whitelist

    If you do not need to scan for a specific image vulnerability, you can add the vulnerability to a whitelist. The system does not detect whitelisted vulnerabilities.

    1. In the Scan Settings panel, click the Vulnerability Whitelist Settings tab.

    2. Configure the vulnerability whitelist.

      • Create a rule: Click Create Rule to add custom whitelist rules for different vulnerability types.

      • Edit a rule: Find the rule that you want to edit, click Edit in the Actions column, and then modify the Applied Assets, Select Image, and Description of the rule.

      • Delete a rule: Find the rule that you want to delete and click Delete in the Actions column. After a rule is deleted, Security Center resumes detecting the corresponding vulnerability and generating alerts.

  4. Click the close icon image in the upper-right corner of the panel to close the Scan Settings panel.

Step 2: Run a container image scan

After you configure the scan scope, both manual scans and periodic scans run based on the settings in the Scan Settings panel.

Important

The first time you run a container image scan, Security Center automatically creates a reverse endpoint in the VPC that is configured for the image. This reverse endpoint allows the Security Center service to access the Container Registry Enterprise Edition instance in your VPC. Do not delete the reverse endpoint. For more information, see Description of automatically created reverse endpoints.

Run a manual scan

To scan your images immediately, run a manual scan.

Note

The Scan Now action scans all image repositories that are connected to Security Center by default. You can first configure the scan scope in the Scan Settings panel and then manually start a scan. The scan scope includes settings such as the image repositories to scan, container runtime scan configurations, and vulnerability whitelist configurations. For more information, see Step 1: Configure the container image scan scope in this topic.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Container Image Scan page, click Scan Now.

  4. In the Quick Scan dialog box, all image types are selected by default. Clear the checkboxes for the image types that you do not want to scan and click Confirm.

    The following types are supported:

    • ACR: Security Center checks the Enterprise instances that you created in the ACR console for security risks.

    • Harbor, Quay, GitLab: Security Center scans the private image repositories that you have added for security risks.

    • Container: Security Center immediately runs a container runtime image scan based on your container runtime scan settings.

    Security Center displays these types only if you have configured them.

    You can also click Configure Scan Scope. In the Scan Settings panel, configure the scan scope settings, and then repeat the preceding step to reopen the Quick Scan dialog box. For more information, see Step 1: Configure the container image scan scope in this topic.

Scan results appear in about one minute. You can then refresh the page to view the results in the risk list.

Configure periodic scans

By default, Security Center automatically scans your container assets for image vulnerabilities or malicious samples based on the scan cycle specified in the Scan Settings panel. You can modify the scan cycle for image vulnerabilities.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  2. In the upper-right corner of the Container Image Scan page, click Scan Settings.

  3. On the Scan Settings tab, set the Scan Cycle.

After you configure the scan cycle, Security Center scans your images according to your configuration. For more information, see Step 1: Configure the container image scan scope in this topic.

Step 3: View image scan progress and status

  1. In the upper-right corner of the Container Image Scan page, click Task Management.

  2. In the Task Management panel, click the Image Scan tab.

  3. Click Details in the Actions column to view the task's execution log.

    For example, for a failed task, you can identify the problematic image and the cause of the failure.

Next steps

After running an image security scan, you can view the scan results. For more information, see View and remediate image risks.

Appendix

Automatically created reverse endpoints

When you run an image security scan for the first time, Security Center automatically creates a reverse endpoint in the VPC configured for the image. This endpoint allows the Security Center service to access the Container Registry Enterprise Edition instance in your VPC. Do not delete this endpoint. For more information about reverse endpoints, see How it works.

The reverse endpoint does not incur fees or affect any Alibaba Cloud products. If Security Center has not run an image security scan in a VPC for one month, it automatically deletes the reverse endpoint in that VPC. The next time you run a scan, Security Center automatically creates a new reverse endpoint. No action is required.

Regions and zones

The following tables list the regions and zones for the VPCs and vSwitches required to use the image security scan feature with Container Registry Enterprise Edition instances. If a VPC and a vSwitch are not in these lists, the image security scan feature is unavailable for the Enterprise Edition instance.

  • public cloud

    Region name

    Region ID

    Number of zones

    Zone name

    Zone ID

    China (Qingdao)

    cn-qingdao

    2

    Qingdao Zone B

    cn-qingdao-b

    Qingdao Zone C

    cn-qingdao-c

    China (Beijing)

    cn-beijing

    10

    Beijing Zone C

    cn-beijing-c

    Beijing Zone D

    cn-beijing-d

    Beijing Zone E

    cn-beijing-e

    Beijing Zone F

    cn-beijing-f

    Beijing Zone G

    cn-beijing-g

    Beijing Zone H

    cn-beijing-h

    Beijing Zone I

    cn-beijing-i

    Beijing Zone J

    cn-beijing-j

    Beijing Zone K

    cn-beijing-k

    Beijing Zone L

    cn-beijing-l

    China (Zhangjiakou)

    cn-zhangjiakou

    3

    Zhangjiakou Zone A

    cn-zhangjiakou-a

    Zhangjiakou Zone B

    cn-zhangjiakou-b

    Zhangjiakou Zone C

    cn-zhangjiakou-c

    China (Hohhot)

    cn-huhehaote

    2

    Hohhot Zone A

    cn-huhehaote-a

    Hohhot Zone B

    cn-huhehaote-b

    China (Ulanqab)

    cn-wulanchabu

    3

    Ulanqab Zone A

    cn-wulanchabu-a

    Ulanqab Zone B

    cn-wulanchabu-b

    Ulanqab Zone C

    cn-wulanchabu-c

    China (Hangzhou)

    cn-hangzhou

    7

    Hangzhou Zone B

    cn-hangzhou-b

    Hangzhou Zone F

    cn-hangzhou-f

    Hangzhou Zone G

    cn-hangzhou-g

    Hangzhou Zone H

    cn-hangzhou-h

    Hangzhou Zone I

    cn-hangzhou-i

    Hangzhou Zone J

    cn-hangzhou-j

    Hangzhou Zone K

    cn-hangzhou-k

    China (Shanghai)

    cn-shanghai

    8

    Shanghai Zone A

    cn-shanghai-a

    Shanghai Zone B

    cn-shanghai-b

    Shanghai Zone E

    cn-shanghai-e

    Shanghai Zone F

    cn-shanghai-f

    Shanghai Zone G

    cn-shanghai-g

    Shanghai Zone L

    cn-shanghai-l

    Shanghai Zone M

    cn-shanghai-m

    Shanghai Zone N

    cn-shanghai-n

    China (Shenzhen)

    cn-shenzhen

    4

    Shenzhen Zone C

    cn-shenzhen-c

    Shenzhen Zone D

    cn-shenzhen-d

    Shenzhen Zone E

    cn-shenzhen-e

    Shenzhen Zone F

    cn-shenzhen-f

    China (Heyuan)

    cn-heyuan

    2

    Heyuan Zone A

    cn-heyuan-a

    Heyuan Zone B

    cn-heyuan-b

    China (Guangzhou)

    cn-guangzhou

    2

    Guangzhou Zone A

    cn-guangzhou-a

    Guangzhou Zone B

    cn-guangzhou-b

    China (Chengdu)

    cn-chengdu

    2

    Chengdu Zone A

    cn-chengdu-a

    Chengdu Zone B

    cn-chengdu-b

    China (Hong Kong)

    cn-hongkong

    3

    Hong Kong Zone B

    cn-hongkong-b

    Hong Kong Zone C

    cn-hongkong-c

    Hong Kong Zone D

    cn-hongkong-d

    Singapore

    ap-southeast-1

    3

    Singapore Zone A

    ap-southeast-1a

    Singapore Zone B

    ap-southeast-1b

    Singapore Zone C

    ap-southeast-1c

    Malaysia (Kuala Lumpur)

    ap-southeast-3

    3

    Kuala Lumpur Zone A

    ap-southeast-3a

    Kuala Lumpur Zone B

    ap-southeast-3b

    Kuala Lumpur Zone C

    ap-southeast-3c

    Indonesia (Jakarta)

    ap-southeast-5

    3

    Jakarta Zone A

    ap-southeast-5a

    Jakarta Zone B

    ap-southeast-5b

    Jakarta Zone C

    ap-southeast-5c

    Philippines (Manila)

    ap-southeast-6

    1

    Manila Zone A

    ap-southeast-6a

    Thailand (Bangkok)

    ap-southeast-7

    2

    Bangkok Zone A

    ap-southeast-7a

    Bangkok Zone B

    ap-southeast-7b

    Japan (Tokyo)

    ap-northeast-1

    3

    Tokyo Zone A

    ap-northeast-1a

    Tokyo Zone B

    ap-northeast-1b

    Tokyo Zone C

    ap-northeast-1c

    South Korea (Seoul)

    ap-northeast-2

    2

    Seoul Zone A

    ap-northeast-2a

    Seoul Zone B

    ap-northeast-2b

    US (Silicon Valley)

    us-west-1

    2

    Silicon Valley Zone A

    us-west-1a

    Silicon Valley Zone B

    us-west-1b

    US (Virginia)

    us-east-1

    2

    Virginia Zone A

    us-east-1a

    Virginia Zone B

    us-east-1b

    Germany (Frankfurt)

    eu-central-1

    3

    Frankfurt Zone A

    eu-central-1a

    Frankfurt Zone B

    eu-central-1b

    Frankfurt Zone C

    eu-central-1c

    UK (London)

    eu-west-1

    2

    London Zone A

    eu-west-1a

    London Zone B

    eu-west-1b

  • Finance Cloud

    Region name

    Region ID

    City

    Number of zones

    Zone name

    Zone ID

    China (Shanghai) Finance Cloud

    shanghai-finance-1

    Shanghai

    4

    Zone F

    cn-shanghai-finance-1f

    Zone G

    cn-shanghai-finance-1g

    Zone K

    cn-shanghai-finance-1k

    Zone Z

    cn-shanghai-finance-1z

    China (Shenzhen) Finance Cloud

    cn-shenzhen-finance-1

    Shenzhen

    2

    Zone D

    cn-shenzhen-finance-1d

    Zone E

    cn-shenzhen-finance-1e

    China (Beijing) Finance Cloud (Invitational Preview)

    cn-beijing-finance-1

    Beijing

    2

    Zone K

    cn-beijing-finance-1k

    Zone L

    cn-beijing-finance-1l

  • Gov Cloud

    Region name

    Region ID

    City

    Number of zones

    Zone name

    Zone ID

    China (Beijing) Gov Cloud 1

    cn-north-2-gov-1

    Beijing

    3

    China (Beijing) Gov Cloud 1 Zone B

    cn-north-2-gov-1b

    China (Beijing) Gov Cloud 1 Zone C

    cn-north-2-gov-1c

    China (Beijing) Gov Cloud 1 Zone D

    cn-north-2-gov-1d