Container images can carry vulnerabilities, misconfigurations, malicious files, and sensitive credentials that go undetected until they reach production. Container image scan identifies these risks directly in your Container Registry images before deployment. For image system vulnerabilities, Security Center also provides quick fixing with fixing commands.
Limitations
Container image scan is a value-added feature that must be purchased separately. Only the Advanced, Enterprise, Ultimate, and Value-added Plan editions support this purchase.
Supported regions
Container image scan works with Container Registry instances in the following regions.
| Area | Supported regions |
|---|---|
| China | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), and China (Ulanqab) |
| China (Shenzhen), China (Heyuan), and China (Guangzhou) | |
| China (Hangzhou) and China (Shanghai) | |
| China (Chengdu) | |
| China (Hong Kong) | |
| China East 2 Finance, China South 1 Finance, China North 2 Finance, and China North 2 Ali Gov 1 | |
| Outside China | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok) |
| Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
What gets scanned
Container image scan covers two categories of checks: image content (the files inside the image) and build instructions (the Dockerfile used to create the image). Understanding this distinction helps you interpret results and choose the right remediation path.
Image content checks
These checks scan the files and runtime environment inside the final built image.
| Risk type | What it detects | Quick fix supported |
|---|---|---|
| Image system vulnerability | Operating system vulnerabilities and third-party software vulnerabilities | Yes — fix using the commands and impact descriptions provided by Security Center |
| Image application vulnerability | Application vulnerabilities that can lead to unauthorized access, code injection, and denial-of-service (DoS) attacks | No — fix manually using the commands and impact descriptions provided by Security Center |
| Image baseline risk | Misconfigurations where the image does not conform to security configuration specifications and best practices | No — fix manually based on the baseline check details provided by Security Center |
| Malicious image sample | Malicious files, malicious code, and malicious behavior in images and during container runtime | No — fix manually using the malicious file paths provided by Security Center |
| Sensitive image file | Application configurations with sensitive information, certificate keys, application identity or login credentials, and credentials for cloud server providers | No — review the Security Center suggestions, remove the sensitive information, and recreate the image |
Quick fix is only available for image system vulnerabilities. For all other risk types, follow the manual remediation steps in the risk details. For more information, see Handle detected image risks.
Build instruction checks
These checks analyze the Dockerfile instructions used to build the image. Detected issues require you to update the Dockerfile and rebuild the image.
Security Center detects the following build instruction risks:
Deprecated
MAINTAINERcommandNo user specified with the
USERcommand (image runs as root by default)Application running as the root user
Use of the
ADDcommandSensitive data included in
ENVvariablesCertificate verification disabled via the
NODE_TLS_REJECT_UNAUTHORIZEDenvironment variableaptused with theRUNcommand in Dockerfiles
To remediate these issues, update your Dockerfile based on the risk description provided by Security Center, then rebuild and push the image.
Supported operating systems
The following table lists the operating systems supported for risk detection and risk fixing.
| Operating system | Versions: risk detection | Versions: risk fixing |
|---|---|---|
| Red Hat | 5, 6, 7 | None |
| CentOS | 5, 6, 7 | 7, 8 |
| Ubuntu | 12.04, 14.04, 16.04, 18.04, 18.10 | 14, 16, 18 |
| Debian | 6, 7, 8, 9, 10 | 9, 10 |
| Alpine | 2.3, 2.4, 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12 | 3.9 |
| Amazon Linux | Amazon Linux 2, Amazon Linux AMI | None |
| Oracle Linux | 5, 6, 7, 8 | None |
| SUSE Linux Enterprise Server | 5, 6, 7, 8, 9, 10, 10 SP4, 11 SP3, 12 SP2, 12 SP5 | None |
| Fedora Linux | 2X, 3X | None |
| openSUSE | 10.0, Leap 15.2, Leap 42.3 | None |
Get started
Enable container image scan: Purchase and enable the feature, then set the Container Image Scan quota based on the number of images you want to scan. You are charged based on this quota.
Scan images: Configure the scan scope for your images. Run an immediate scan or set up a periodic scan schedule.
View and handle detected image risks: Review scan results and remediate risks using the provided fixing instructions.
Related topics
For server vulnerability management, see Vulnerability management.
For Elastic Compute Service (ECS) image scan results, see View image scan results.