Security Center scans your container images to detect system vulnerabilities, application vulnerabilities, baseline risks, malicious samples, sensitive files, and risks in image build instructions. This topic walks you through the complete workflow: configuring the scan scope, triggering scans, and monitoring task progress.
Prerequisites
Before you begin, ensure that you have:
Enabled the Container Image Scan feature and purchased sufficient Container Image Scan authorizations. For more information, see Enable the Container Image Security Scan feature.
A Container Registry Enterprise Edition instance or a connected private image repository. For more information, see Create a Container Registry Enterprise Edition instance and Add an image repository.
If your Container Registry Enterprise Edition instance uses a virtual private cloud (VPC), select a vSwitch in a supported zone within a supported region. For the full list, see Supported regions and zones.
How it works
Security Center supports two scan modes and six risk detection categories.
Scan modes:
| Mode | Description |
|---|---|
| Manual scan | Triggered immediately by clicking Scan Now. All image types connected to Security Center are scanned unless you narrow the scope. |
| Periodic scan | Runs automatically based on the scan cycle you configure. Applies to vulnerability, baseline, malicious sample, and sensitive file scans. Container runtime image scans do not support periodic mode. |
Both modes use the same scan scope configuration. Configure the scope first, then choose when to run.
What Security Center detects:Log on to the Security Center console.
| Detection category | Description | Supported mode |
|---|---|---|
| System and application vulnerabilities | CVEs in OS packages, middleware, web applications, and databases | Manual, periodic |
| Baseline risks | Misconfigurations against security benchmarks | Manual, periodic |
| Malicious samples | Mining trojans, backdoor programs, and other malware | Manual, periodic |
| Sensitive files | Application credentials, certificates, keys, and cloud provider access keys in image layers | Manual, periodic |
| Image build instruction risks | Security risks in Dockerfile instructions | Manual, periodic |
| Container runtime image risks | Vulnerabilities in images running in live containers | Manual only |
Quota consumption model:
Security Center identifies images by their digest value. If an image's digest does not change between scans, only the first scan consumes a quota unit. When the digest changes — meaning the image was rebuilt or updated — the next scan consumes an additional quota unit.
Each scan task has a fixed timeout of 4 hours. If a task includes more repositories than can be scanned within that window, remaining repositories are skipped. Specify the repositories you need before starting a scan, and increase the Throttling rate for Harbor repositories to avoid hitting the timeout.
Step 1: Configure the scan scope
Scan scope settings apply to both manual and periodic scans.
Log on to the Security Center consoleSecurity Center console. In the top-left corner, select the region of the assets you want to protect: Chinese Mainland or Outside Chinese Mainland.
In the left navigation pane, choose Protection Configuration > Container Protection > Container Image Scan.
In the upper-right corner of the Container Image Scan page, click Scan Settings.
In the Scan Settings panel, click the tab for the feature you want to configure.
The following sections cover each tab.
Configure scan parameters
On the Scan Configuration tab, set the following parameters:
| Parameter | Description |
|---|---|
| Consumed quota/Purchased quota | The number of scans performed versus the total purchased. If the quota is running low, click Scale Out to purchase more. |
| Scan Cycle | The frequency for periodic scans. This setting has no effect on manual scans. |
| Scan Scope | The image repositories to include. Click Manage, select repositories in the Image Management dialog box, and click OK. By default, Automatically Adds New Image Repositories For Scan is enabled — new repositories are automatically added to the periodic scan scope. Click the  icon to disable this if needed. |
| Scan Time Range | Scans images based on their last local update time. If no update time is available, the local creation time is used. For example, with Last 7 Days selected, images last updated more than 7 days ago are excluded — the task status shows as successful, but with 0 successful scans. |
| Vulnerability Retention Period | How long periodic scan results are retained. Security Center automatically deletes results older than this period. |
Manage image repositories
Click the Image Repository tab to view connected repositories:
acr and defaultAcr types: Container Registry Enterprise Edition instances automatically synced from your Alibaba Cloud account. These cannot be removed from the list.
harbor, quay, and gitlab types: Private repositories you have connected manually.
From this tab you can:
Add a repository: Click Add Image Repository to connect a private repository not yet in the list. For more information, see Add image repositories.
Remove a repository: In the Actions column for the target repository, click Remove, then click OK.
Set Harbor throttling: For Harbor repositories, click Edit in the Actions column and set the Throttling rate (images scanned per hour, default: 10). Increase this value if you have many images and need them all scanned within the 4-hour window. For example, a Harbor repository with 200 images at the default rate of 10 per hour takes 20 hours — exceeding the timeout, so many images would not be scanned. Setting it to 200 reduces that to 1 hour.
Monitor sync progress: Click Task Management in the upper-right corner and check the Container Asset Synchronization and Image Asset Synchronization tabs to confirm repositories are ready before running a scan.
Configure baseline checks
In the Scan Settings panel, click the Baseline Configuration Management tab.
Click Manage to the right of Configuration Scope.
In the Baseline Check Scope panel, select the baselines to check, then click Confirm.
The Access Key Plaintext Storage and Password Leakage baselines correspond to the AccessKey Leak Detection and Password Leak Detection switches in the Baseline Configuration Management tab. Selecting them here automatically enables the corresponding switches — no separate configuration is needed.
Once configured, the selected baselines are checked whenever you run a manual scan or a periodic scan starts.
Configure container runtime image scans
Container runtime image scans detect vulnerabilities in images running in live containers. Only manual scans are supported.
In the Scan Settings panel, click the Container Runtime Image Scan tab.
Click Configure Scan Scope. In the dialog box, select the cluster and application name to scan, then click OK.
Click Scan Now to start the scan immediately.
After the scan completes, go to Task Management > Container Runtime Image Scan to view progress, then check the Image Vulnerability Risk tab on the Container Image Scan page for detected vulnerabilities.
Configure sensitive file scans
Security Center can detect sensitive data in image layers, including application configuration files with embedded credentials, certificates and keys, authentication tokens, and access keys from cloud providers.
Sensitive file scans are static only — runtime detection is not supported.
In the Scan Settings panel, click the Sensitive File Scan Settings tab.
Click Manage to the right of Configuration Scope.
In the Sensitive File Scan Settings panel, select the check items to include.
Toggle the sensitive file detection switch to enable it.
When enabled, sensitive file scans run alongside vulnerability and baseline scans — both on Scan Now and during periodic scans.
Configure the at-risk file whitelist
If a specific sensitive file, build instruction risk, or malicious sample alert is expected or acceptable, add it to the whitelist. Security Center stops generating alerts for whitelisted items.
The whitelist is populated from alerts you dismiss on the Malicious Image Sample, Sensitive Image File, and Image Build Command Risks tabs. You cannot configure the whitelist before running your first scan.
In the Scan Settings panel, click the At-risk File Whitelist Configuration tab.
On the Sensitive File, Container Build, or Malicious Sample tab, find the target alert type and:
Edit: Click Edit in the Actions column, then set the whitelist scope to All Image Repositories or Current Image Repository Only.
Delete: Click Delete in the Actions column to remove the alert type from the whitelist. Security Center resumes detecting and alerting on that risk.
Configure automatic vulnerability fixing
Security Center can automatically fix system vulnerabilities in Container Registry Enterprise Edition (ACR Enterprise Edition) image repositories.
In the Scan Settings panel, click the Image Risk Fixing Configuration tab.
Click the Fixing Configuration switch to enable automatic fixing.
Set the following parameters:
Parameter Description Fixing Period How often Security Center applies fixes. Fixing Scope Which image repositories in your ACR Enterprise Edition instance to fix. Time Range Only images updated within this period are fixed. If an image has never been updated, its creation time is used. For example, with 7 Days selected, only images updated in the last 7 days receive fixes.
After enabling, Security Center applies fixes when a manual scan runs or when a periodic scan task starts. To check remediation status, go to Task Management > Image Remediation.
Configure the vulnerability whitelist
To exclude a specific vulnerability from scans, add it to the vulnerability whitelist. Security Center stops generating alerts for whitelisted vulnerabilities.
In the Scan Settings panel, click the Vulnerability Whitelist Settings tab.
Manage whitelist rules:
Create a rule: Click Create Rule, then configure the whitelist scope and applicable vulnerability types.
Edit a rule: Click Edit in the Actions column to update Rule Scope, Image Selection, or Note.
Delete a rule: Click Delete in the Actions column. Security Center resumes detecting and alerting on that vulnerability.
Click the
icon in the upper-right corner of the Scan Settings panel to close it.
Step 2: Run an image security scan
With the scan scope configured, run a scan manually or rely on the periodic schedule.
On the first scan, Security Center automatically creates a reverse endpoint in the VPC configured for your image. This endpoint lets Security Center access your Container Registry Enterprise Edition instance within the VPC. Do not delete it. For details, see Automatically created reverse endpoints.
Run an immediate scan
Log on to the Security Center consoleSecurity Center console. In the top-left corner, select the region: Chinese Mainland or Outside Chinese Mainland.Log on to the Security Center console.
In the left navigation pane, choose Protection Configuration > Container Protection > Container Image Scan.
Click Scan Now.
In the Quick Scan dialog box, all connected image types are selected by default. Deselect any types you do not want to include, then click OK. Only types already configured in Security Center appear in this dialog box.
Image type What is scanned acr Container Registry Enterprise Edition instances created in the Container Registry console harbor, quay, gitlab Private repositories you have connected to Security Center Container Container runtime images, based on your container runtime scan scope settings
Scan results appear in about one minute. Refresh the page to see the updated risk list.
Configure a periodic scan
Log on to the Security Center consoleSecurity Center console. In the top-left corner, select the region: Chinese Mainland or Outside Chinese Mainland.Log on to the Security Center console.
In the left navigation pane, choose Protection Configuration > Container Protection > Container Image Scan.
In the upper-right corner, click Scan Settings.
On the Scan Configuration tab, set Scan Cycle, then close the Scan Settings panel.
Security Center runs scans automatically based on the cycle you set, using the full scan scope configuration from Step 1.
Step 3: Monitor scan progress
In the upper-right corner of the Container Image Scan page, click Task Management.
In the Task Management panel, click the Image Scan tab.
Review the progress and status of each task. Click Details in the Actions column to view the execution log — including which images failed and the reason for each failure.
What's next
After the scan completes, view and act on the detected risks. For more information, see View and handle detected image risks.
Appendix
Description of automatically created reverse endpoints
When you run an image security scan for the first time, Security Center automatically creates a reverse endpoint in the VPC configured for the image. This endpoint lets the Security Center service reach your Container Registry Enterprise Edition instance inside the VPC. For background on how reverse endpoints work, see How it works.
Do not delete this endpoint. It does not incur fees and does not affect any other Alibaba Cloud products.
If no image security scan runs in the VPC for one month, the reverse endpoint is automatically deleted. The next scan creates a new one automatically — no action required.
Supported regions and zones
The following tables list the supported regions and zones for VPCs and vSwitches used by Container Registry Enterprise Edition instances with the image security scan feature. If the configured VPC and vSwitch are not in these lists, image scanning is not available for that instance.
Public cloud
| Region name | Region ID | Supported zones | Zone name | Zone ID |
|---|---|---|---|---|
| China (Qingdao) | cn-qingdao | 2 | Qingdao Zone B | cn-qingdao-b |
| Qingdao Zone C | cn-qingdao-c | |||
| China (Beijing) | cn-beijing | 10 | Beijing Zone C | cn-beijing-c |
| Beijing Zone D | cn-beijing-d | |||
| Beijing Zone E | cn-beijing-e | |||
| Beijing Zone F | cn-beijing-f | |||
| Beijing Zone G | cn-beijing-g | |||
| Beijing Zone H | cn-beijing-h | |||
| Beijing Zone I | cn-beijing-i | |||
| Beijing Zone J | cn-beijing-j | |||
| Beijing Zone K | cn-beijing-k | |||
| Beijing Zone L | cn-beijing-l | |||
| China (Zhangjiakou) | cn-zhangjiakou | 3 | Zhangjiakou Zone A | cn-zhangjiakou-a |
| Zhangjiakou Zone B | cn-zhangjiakou-b | |||
| Zhangjiakou Zone C | cn-zhangjiakou-c | |||
| China (Hohhot) | cn-huhehaote | 2 | Hohhot Zone A | cn-huhehaote-a |
| Hohhot Zone B | cn-huhehaote-b | |||
| China (Ulanqab) | cn-wulanchabu | 3 | Ulanqab Zone A | cn-wulanchabu-a |
| Ulanqab Zone B | cn-wulanchabu-b | |||
| Ulanqab Zone C | cn-wulanchabu-c | |||
| China (Hangzhou) | cn-hangzhou | 7 | Hangzhou Zone B | cn-hangzhou-b |
| Hangzhou Zone F | cn-hangzhou-f | |||
| Hangzhou Zone G | cn-hangzhou-g | |||
| Hangzhou Zone H | cn-hangzhou-h | |||
| Hangzhou Zone I | cn-hangzhou-i | |||
| Hangzhou Zone J | cn-hangzhou-j | |||
| Hangzhou Zone K | cn-hangzhou-k | |||
| China (Shanghai) | cn-shanghai | 8 | Shanghai Zone A | cn-shanghai-a |
| Shanghai Zone B | cn-shanghai-b | |||
| Shanghai Zone E | cn-shanghai-e | |||
| Shanghai Zone F | cn-shanghai-f | |||
| Shanghai Zone G | cn-shanghai-g | |||
| Shanghai Zone L | cn-shanghai-l | |||
| Shanghai Zone M | cn-shanghai-m | |||
| Shanghai Zone N | cn-shanghai-n | |||
| China (Shenzhen) | cn-shenzhen | 4 | Shenzhen Zone C | cn-shenzhen-c |
| Shenzhen Zone D | cn-shenzhen-d | |||
| Shenzhen Zone E | cn-shenzhen-e | |||
| Shenzhen Zone F | cn-shenzhen-f | |||
| China (Heyuan) | cn-heyuan | 2 | Heyuan Zone A | cn-heyuan-a |
| Heyuan Zone B | cn-heyuan-b | |||
| China (Guangzhou) | cn-guangzhou | 2 | Guangzhou Zone A | cn-guangzhou-a |
| Guangzhou Zone B | cn-guangzhou-b | |||
| China (Chengdu) | cn-chengdu | 2 | Chengdu Zone A | cn-chengdu-a |
| Chengdu Zone B | cn-chengdu-b | |||
| China (Hong Kong) | cn-hongkong | 3 | Hong Kong Zone B | cn-hongkong-b |
| Hong Kong Zone C | cn-hongkong-c | |||
| Hong Kong Zone D | cn-hongkong-d | |||
| Singapore | ap-southeast-1 | 3 | Singapore Zone A | ap-southeast-1a |
| Singapore Zone B | ap-southeast-1b | |||
| Singapore Zone C | ap-southeast-1c | |||
| Malaysia (Kuala Lumpur) | ap-southeast-3 | 3 | Kuala Lumpur Zone A | ap-southeast-3a |
| Kuala Lumpur Zone B | ap-southeast-3b | |||
| Kuala Lumpur Zone C | ap-southeast-3c | |||
| Indonesia (Jakarta) | ap-southeast-5 | 3 | Jakarta Zone A | ap-southeast-5a |
| Jakarta Zone B | ap-southeast-5b | |||
| Jakarta Zone C | ap-southeast-5c | |||
| Philippines (Manila) | ap-southeast-6 | 1 | Manila Zone A | ap-southeast-6a |
| Thailand (Bangkok) | ap-southeast-7 | 2 | Bangkok Zone A | ap-southeast-7a |
| Bangkok Zone B | ap-southeast-7b | |||
| Japan (Tokyo) | ap-northeast-1 | 3 | Tokyo Zone A | ap-northeast-1a |
| Tokyo Zone B | ap-northeast-1b | |||
| Tokyo Zone C | ap-northeast-1c | |||
| South Korea (Seoul) | ap-northeast-2 | 2 | Seoul Zone A | ap-northeast-2a |
| Seoul Zone B | ap-northeast-2b | |||
| US (Silicon Valley) | us-west-1 | 2 | Silicon Valley Zone A | us-west-1a |
| Silicon Valley Zone B | us-west-1b | |||
| US (Virginia) | us-east-1 | 2 | Virginia Zone A | us-east-1a |
| Virginia Zone B | us-east-1b | |||
| Germany (Frankfurt) | eu-central-1 | 3 | Frankfurt Zone A | eu-central-1a |
| Frankfurt Zone B | eu-central-1b | |||
| Frankfurt Zone C | eu-central-1c | |||
| UK (London) | eu-west-1 | 2 | London Zone A | eu-west-1a |
| London Zone B | eu-west-1b |
Finance Cloud
| Region name | Region ID | City | Supported zones | Zone name | Zone ID |
|---|---|---|---|---|---|
| China (Shanghai) Finance Cloud | shanghai-finance-1 | Shanghai | 4 | China (Shanghai) Finance Cloud Zone F | cn-shanghai-finance-1f |
| China (Shanghai) Finance Cloud Zone G | cn-shanghai-finance-1g | ||||
| China (Shanghai) Finance Cloud Zone K | cn-shanghai-finance-1k | ||||
| China (Shanghai) Finance Cloud Zone Z | cn-shanghai-finance-1z | ||||
| China (Shenzhen) Finance Cloud | cn-shenzhen-finance-1 | Shenzhen | 2 | China (Shenzhen) Finance Cloud Zone D | cn-shenzhen-finance-1d |
| China (Shenzhen) Finance Cloud Zone E | cn-shenzhen-finance-1e | ||||
| China (Beijing) Finance Cloud (Invitational Preview) | cn-beijing-finance-1 | Beijing | 2 | China (Beijing) Finance Cloud (Invitational Preview) Zone K | cn-beijing-finance-1k |
| China (Beijing) Finance Cloud (Invitational Preview) Zone L | cn-beijing-finance-1l |
Gov Cloud
| Region name | Region ID | City | Supported zones | Zone name | Zone ID |
|---|---|---|---|---|---|
| China (Beijing) Gov Cloud 1 | cn-north-2-gov-1 | Beijing | 3 | China (Beijing) Gov Cloud 1 Zone B | cn-north-2-gov-1b |
| China (Beijing) Gov Cloud 1 Zone C | cn-north-2-gov-1c | ||||
| China (Beijing) Gov Cloud 1 Zone D | cn-north-2-gov-1d |