All Products
Search
Document Center

Security Center:Overview

Last Updated:May 15, 2026

Container images can carry vulnerabilities, misconfigurations, malicious files, and exposed credentials that go undetected until production. Container image scan in Security Center detects these risks in Alibaba Cloud Container Registry (ACR) images before deployment and provides one-click fix commands for image system vulnerabilities.

Limitations

Container image scan is a billable add-on feature available only with the Advanced, Enterprise, Ultimate, and Value-added Plan editions. You are charged based on the scan quota you set, and the billing cycle is monthly. Each image is billed once per scan cycle, regardless of how many times it is scanned within that cycle.

When to use this feature

Use container image scan to identify security risks in container images stored in Alibaba Cloud Container Registry (ACR) before deploying them. Container image scan covers two categories of checks: image content (the files inside the image) and build instructions (the Dockerfile used to create the image). Understanding this distinction helps you interpret results and choose the right remediation path.

Scan scope

Image content checks

These checks scan the files and runtime environment inside the final built image.

Risk type

What it detects

Quick fix supported

Image system vulnerability

Operating system vulnerabilities and third-party software vulnerabilities

Yes — fix using the commands and impact descriptions provided by Security Center

Image application vulnerability

Application vulnerabilities that can lead to unauthorized access, code injection, and denial-of-service (DoS) attacks

No — fix manually using the commands and impact descriptions provided by Security Center

Image baseline risk

Misconfigurations where the image does not conform to security configuration specifications and best practices

No — fix manually based on the baseline check details provided by Security Center

Malicious image sample

Malicious files, malicious code, and malicious behavior in images and during container runtime

No — fix manually using the malicious file paths provided by Security Center

Sensitive image file

Application configurations with sensitive information, certificate keys, application identity or login credentials, and credentials for cloud server providers

No — review the Security Center suggestions, remove the sensitive information, and recreate the image

Important

Quick fix is only available for image system vulnerabilities. For all other risk types, follow the manual remediation steps in the risk details. For more information, see Handle detected image risks.

Build instruction checks

These checks analyze the Dockerfile instructions used to build the image. Detected issues require you to update the Dockerfile and rebuild the image.

Security Center detects the following build instruction risks:

  • Deprecated MAINTAINER command

  • No user specified with the USER command (image runs as root by default)

  • Application running as the root user

  • Use of the ADD command

  • Sensitive data included in ENV variables

  • Certificate verification disabled via the NODE_TLS_REJECT_UNAUTHORIZED environment variable

  • apt used with the RUN command in Dockerfiles

To remediate these issues, update your Dockerfile based on the risk description provided by Security Center, then rebuild and push the image.

Supported regions

Container image scan works with ACR instances in the following regions.

Area

Supported regions

China

China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), and China (Ulanqab)

China (Shenzhen), China (Heyuan), and China (Guangzhou)

China (Hangzhou) and China (Shanghai)

China (Chengdu)

China (Hong Kong)

China (Finance) and China (Ali Gov)

China East 2 Finance, China South 1 Finance, China North 2 Finance, and China North 2 Ali Gov 1

Outside China

Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

Supported operating systems

The following table lists the operating systems supported for risk detection and risk fixing.

Operating system

Versions: risk detection

Versions: risk fixing

Red Hat

5, 6, 7

None

CentOS

5, 6, 7

7, 8

Ubuntu

12.04, 14.04, 16.04, 18.04, 18.10

14, 16, 18

Debian

6, 7, 8, 9, 10

9, 10

Alpine

2.3, 2.4, 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12

3.9

Amazon Linux

Amazon Linux 2, Amazon Linux AMI

None

Oracle Linux

5, 6, 7, 8

None

SUSE Linux Enterprise Server

5, 6, 7, 8, 9, 10, 10 SP4, 11 SP3, 12 SP2, 12 SP5

None

Fedora Linux

2X, 3X

None

openSUSE

10.0, Leap 15.2, Leap 42.3

None

Quick start

  1. Enable the feature: Purchase and enable the feature, then set the Container Image Scan quota based on the number of images you want to scan. You are charged based on this quota.

  2. Configure and run image security scans: Configure the scan scope for your images. Run an immediate scan or set up a periodic scan schedule.

  3. View and remediate image risks: Review scan results and remediate risks using the provided fixing instructions.

What's next