Container images can carry vulnerabilities, misconfigurations, malicious files, and exposed credentials that go undetected until production. Container image scan in Security Center detects these risks in Alibaba Cloud Container Registry (ACR) images before deployment and provides one-click fix commands for image system vulnerabilities.
Limitations
Container image scan is a billable add-on feature available only with the Advanced, Enterprise, Ultimate, and Value-added Plan editions. You are charged based on the scan quota you set, and the billing cycle is monthly. Each image is billed once per scan cycle, regardless of how many times it is scanned within that cycle.
When to use this feature
Use container image scan to identify security risks in container images stored in Alibaba Cloud Container Registry (ACR) before deploying them. Container image scan covers two categories of checks: image content (the files inside the image) and build instructions (the Dockerfile used to create the image). Understanding this distinction helps you interpret results and choose the right remediation path.
Scan scope
Image content checks
These checks scan the files and runtime environment inside the final built image.
Risk type | What it detects | Quick fix supported |
Image system vulnerability | Operating system vulnerabilities and third-party software vulnerabilities | Yes — fix using the commands and impact descriptions provided by Security Center |
Image application vulnerability | Application vulnerabilities that can lead to unauthorized access, code injection, and denial-of-service (DoS) attacks | No — fix manually using the commands and impact descriptions provided by Security Center |
Image baseline risk | Misconfigurations where the image does not conform to security configuration specifications and best practices | No — fix manually based on the baseline check details provided by Security Center |
Malicious image sample | Malicious files, malicious code, and malicious behavior in images and during container runtime | No — fix manually using the malicious file paths provided by Security Center |
Sensitive image file | Application configurations with sensitive information, certificate keys, application identity or login credentials, and credentials for cloud server providers | No — review the Security Center suggestions, remove the sensitive information, and recreate the image |
Quick fix is only available for image system vulnerabilities. For all other risk types, follow the manual remediation steps in the risk details. For more information, see Handle detected image risks.
Build instruction checks
These checks analyze the Dockerfile instructions used to build the image. Detected issues require you to update the Dockerfile and rebuild the image.
Security Center detects the following build instruction risks:
Deprecated
MAINTAINERcommandNo user specified with the
USERcommand (image runs as root by default)Application running as the root user
Use of the
ADDcommandSensitive data included in
ENVvariablesCertificate verification disabled via the
NODE_TLS_REJECT_UNAUTHORIZEDenvironment variableaptused with theRUNcommand in Dockerfiles
To remediate these issues, update your Dockerfile based on the risk description provided by Security Center, then rebuild and push the image.
Supported regions
Container image scan works with ACR instances in the following regions.
Area | Supported regions |
China | China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), and China (Ulanqab) |
China (Shenzhen), China (Heyuan), and China (Guangzhou) | |
China (Hangzhou) and China (Shanghai) | |
China (Chengdu) | |
China (Hong Kong) | |
China (Finance) and China (Ali Gov) | China East 2 Finance, China South 1 Finance, China North 2 Finance, and China North 2 Ali Gov 1 |
Outside China | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley) |
Supported operating systems
The following table lists the operating systems supported for risk detection and risk fixing.
Operating system | Versions: risk detection | Versions: risk fixing |
Red Hat | 5, 6, 7 | None |
CentOS | 5, 6, 7 | 7, 8 |
Ubuntu | 12.04, 14.04, 16.04, 18.04, 18.10 | 14, 16, 18 |
Debian | 6, 7, 8, 9, 10 | 9, 10 |
Alpine | 2.3, 2.4, 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12 | 3.9 |
Amazon Linux | Amazon Linux 2, Amazon Linux AMI | None |
Oracle Linux | 5, 6, 7, 8 | None |
SUSE Linux Enterprise Server | 5, 6, 7, 8, 9, 10, 10 SP4, 11 SP3, 12 SP2, 12 SP5 | None |
Fedora Linux | 2X, 3X | None |
openSUSE | 10.0, Leap 15.2, Leap 42.3 | None |
Quick start
Enable the feature: Purchase and enable the feature, then set the Container Image Scan quota based on the number of images you want to scan. You are charged based on this quota.
Configure and run image security scans: Configure the scan scope for your images. Run an immediate scan or set up a periodic scan schedule.
View and remediate image risks: Review scan results and remediate risks using the provided fixing instructions.
What's next
For server vulnerability management, see Vulnerability management.
For Elastic Compute Service (ECS) image scan results, see View image scan results.