Security Center scans container images to detect system vulnerabilities, application vulnerabilities, baseline risks, malicious image samples, and sensitive image files. This topic describes how to view scan results by risk category and handle each type of detected risk.
Prerequisites
Before you begin, ensure that you have:
Completed at least one container image scan. For more information, see Scan images.
View risk statistics
The Container Image Scan page provides an overview of your image security posture, including counts of high-, medium-, and low-risk images and the number of scanned and unscanned images.
Log on to the Security Center consoleSecurity Center console. In the top navigation bar, select the region where the asset resides. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan.
On the Container Image Scan page, view the following statistics in the upper section:
High-risk Image, Medium-risk Image, Low-risk Image: Click the number under each label to go to the Image tab on the Container page and view affected image details.
Scanned Images, Unscanned Image/Images: Click the number to open a panel listing the scanned or unscanned images. > Important: The Unscanned Image/Images panel includes both images that have not been scanned and images that failed to scan.
Container image scan quota: If the remaining quota is insufficient, click Increase Quota to purchase additional quota.
View image scan results
Log on to the Security Center consoleSecurity Center console. In the top navigation bar, select the region where the asset resides. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Scan.
On the Container Image Scan page, click a tab to view results by risk category. The page provides the following tabs:
Tab What you can do Image Vulnerability View system vulnerabilities and application vulnerabilities detected in images. Filter by priority, instance ID, repository, namespace, digest, or vulnerability name. Click a CVE ID to open the Alibaba Cloud vulnerability library. Image Baseline Check View baseline check results by severity. Click Details to see affected images and containers, risk counts, and per-image risk items. Malicious Image Sample View detected malicious samples categorized as Urgent, Suspicious, or Notice. Click Details to see affected images and handling options. Sensitive Image File View sensitive files detected in images, filtered by risk level or alert type. Click Details to see affected images or the files affecting a specific image. Image Build Command Risks View risks in image build commands, filtered by risk level, risk type, or category. Click Details to see affected images or the risks affecting a specific image.
Image vulnerability tab
On the System Vulnerability and Image Application Vulnerability sub-tabs, view the vulnerabilities detected in your images.
Filter vulnerabilities
Filter by vulnerability priority (high, medium, or low), instance ID, repository name, namespace, digest, or vulnerability name. Select Image Scan or Container Runtime Image Scan to narrow results by scan type.
Fuzzy search is supported when filtering by repository name or vulnerability name.
View vulnerability details
Find the vulnerability and click View in the Actions column. In the panel:
Click the Common Vulnerabilities and Exposures (CVE) ID to open the Alibaba Cloud vulnerability library, which shows the vulnerability description, basic information, and fix recommendations.
In the list of affected images or containers, click Details in the Actions column to see fixing commands and impact descriptions for that image.
If PAI appears to the right of the Image Address/Version, the image is deployed through Platform for AI (PAI).
Image baseline check tab
On the Image Baseline Check tab, view baseline check results.
Filter results
Filter by severity (high risk, medium risk, or low risk), baseline name, or category.
View check result details
The results list shows the Baseline Name/Category, Affected Image, Last Scan Time, First Scan Time, and Status for each baseline.
Click Details in the Actions column for a baseline to open the details panel, where you can:
See the addresses and versions of affected images, first check time, and baseline risk counts at each risk level.
Click Details for a specific image to view its risk items in the Risk Item panel.
Click the Affected Image or Affected Container tab, then click
to export the list.
Malicious image sample tab
A malicious image sample can change memory attributes from readable and writable to readable and executable, or modify network proxy settings to intrude into your server. Handle malicious image samples as soon as possible.
Filter results
In the upper-left corner of the list, select Urgent, Suspicious, or Notice to filter by severity. You can also filter by instance ID, repository name, namespace, digest, or malicious sample name.
View sample details
The list shows sample names, number of affected images, first scan time, last scan time, and processing status. Click Details in the Actions column to open the details panel for a sample.
Sensitive image file tab
Filter results
In the upper-left corner, select High Risk, Medium Risk, or Low Risk to filter. You can also filter by alert type of sensitive files or type of sensitive information.
View file details
The list shows alert types, types of sensitive information, numbers of affected and unhandled images, first scan time, and last scan time.
Click Details in the Actions column:
On a sensitive image file entry: view images affected by that file.
On an affected image entry: view sensitive files affecting that image.
Image build command risks tab
Filter results
In the upper-left corner, select High Risk, Medium Risk, or Low Risk to filter. You can also filter by risk type or category.
View risk details
The list shows risk types, risk categories, numbers of affected and unhandled images, first scan time, and last scan time.
Click Details in the Actions column:
On a risk entry: view images affected by that risk.
On an affected image entry: view the build command risks affecting that image.
Export scan results
On the Image Vulnerability, Image Baseline Check, or Malicious Image Sample tab, click 
in the upper-right corner of the list to export the scan results.
Handle detected image risks
After reviewing scan results, handle each risk type based on its details and the available remediation options.
Image vulnerabilities
Fix vulnerabilities based on fixing commands and impact descriptions. Security Center supports fixing only specific image system vulnerabilities directly from the console.
To check whether an updated image is available in the repository, go to Assets > Container in the left-side navigation pane, then click the Image tab. For more information, see the View image information section of the "Manage container assets" topic.
Two fix methods are available when an image update that addresses the vulnerability exists:
Manual fix: In the vulnerability list, find the vulnerability with an active Fix button and click Fix in the Actions column. Click the Affected Image tab, find the target image, and click Fix.
Automatic fix: Configure a fixing period and scope. For more information, see the Configure image risk fixing section of the "Scan images" topic.
Image baseline risks
Handle baseline risks manually based on the details in the Image Baseline Check tab.
Malicious image samples
Handle malicious image samples as soon as possible using the paths of malicious files and other details in the sample details panel.
If an affected image has been confirmed safe, find it in the sample details panel and click Handle in the Actions column to add the alert type to the whitelist. After whitelisting, Security Center stops checking for that alert type on the image.
Sensitive image files and image build command risks
Assess risks based on your business conditions. Delete or correct the files and image build commands that pose security risks, then recreate the images.
In the details panel of a sensitive file or build command, click Handle in the Actions column and choose a handling method:
| Method | Effect |
|---|---|
| Add to Whitelist | Adds the alert type to the whitelist. Security Center stops checking for that alert type. |
| Ignore | Dismisses the current alert. If a subsequent scan detects the same condition, a new alert is generated. |
| Mark as False Positive | Reports a false positive so Security Center can improve its scanning accuracy. |
Rescan after handling
After handling detected risks, click Immediate Scan on the Container Image Scan page to rescan the image and update the results.