All Products
Search

This Product

    Security Center:Overview

    Document Center

    Security Center:Overview

    Last Updated:Nov 14, 2024

    The container image scan feature can manage container images and detect security risks in a comprehensive manner. The risks include high-risk system vulnerabilities, application vulnerabilities, malicious samples, configuration risks, and sensitive data in images. The feature also supports quick fixing of detected image system vulnerabilities. You can use the feature to manage and ensure image security to protect related systems and data.

    Limits

    Container image scan is a value-added feature of Security Center and must be separately purchased. Only users of the Advanced, Enterprise, Ultimate, and Value-added Plan editions can purchase container image scan.

    Supported regions

    Only the Container Registry instances in the following regions support the container image scan feature.

    Area

    Supported region

    China

    • China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), and China (Ulanqab)

    • China (Shenzhen), China (Heyuan), and China (Guangzhou)

    • China (Hangzhou) and China (Shanghai)

    • China (Chengdu)

    • China (Hong Kong)

    • China East 2 Finance, China South 1 Finance, China North 2 Finance, and China North 2 Ali Gov 1

    Outside China

    • Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok)

    • Germany (Frankfurt), UK (London), US (Virginia), and US (Silicon Valley)

    Items that can be detected

    Item

    Description

    Suggestion

    Image system vulnerability

    The container image scan feature can detect vulnerabilities that may affect the security of the container environment, such as operating system vulnerabilities and third-party software vulnerabilities in images.

    We recommend that you fix image system vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions that are provided by Security Center.

    Image application vulnerability

    The container image scan feature can detect application vulnerabilities in images. The vulnerabilities can cause security issues such as unauthorized access, code injection, and denial-of-service (DoS) attacks.

    We recommend that you fix image application vulnerabilities at the earliest opportunity based on the fixing commands and impact descriptions provided by Security Center.

    Image baseline risk

    The container image scan feature can check whether images conform to security configuration specifications and best practices.

    We recommend that you handle image baseline risks at the earliest opportunity based on the baseline check details that are provided by Security Center.

    Malicious image sample

    The container image scan feature can detect malicious files, malicious code, and malicious behavior in images and during container runtime.

    We recommend that you handle malicious file samples at the earliest opportunity based on the information provided by Security Center. The information includes paths to malicious files.

    Sensitive image file

    The container image scan feature can detect common sensitive files, which include but are not limited to the following items:

    • Application configurations that contain sensitive information

    • General certificate keys

    • Application identity or logon credentials

    • Credentials for cloud server providers

    We recommend that you estimate risks based on the suggestions provided by Security Center, remove sensitive information at the earliest opportunity, and then recreate images.

    Image build command risks

    The container image scan feature can detect image build command risks, which include but are not limited to the following items:

    • Deprecated MAINTAINER command

    • User not specified when you create an image by using the USER command

    • Running of applications by using the root user

    • ADD

    • Including sensitive data in ENV variables when you create an image

    • Disabling certificate verification by configuring the NODE_TLS_REJECT_UNAUTHORIZED environment variable

    • apt used with the RUN command for Docker files

    We recommend that you handle the image build command risks based on the risk description provided by Security Center and then recreate images.

    Important

    The container image scan feature supports quick fixing of image system vulnerabilities. To handle other image risks, manually fix the risks based on the suggestions included in the risk details. For more information, see Handle detected image risks.

    Supported operating systems and versions

    Operating system

    Operating system version that supports risk detection

    Operating system version that supports risk fixing

    Red Hat

    • Red Hat 5

    • Red Hat 6

    • Red Hat 7

    None

    CentOS

    • CentOS 5

    • CentOS 6

    • CentOS 7

    • CentOS 7

    • CentOS 8

    Ubuntu

    • Ubuntu 12.04

    • Ubuntu 14.04

    • Ubuntu 16.04

    • Ubuntu 18.04

    • Ubuntu 18.10

    • Ubuntu 14

    • Ubuntu 16

    • Ubuntu 18

    Debian

    • Debian 6

    • Debian 7

    • Debian 8

    • Debian 9

    • Debian 10

    • Debian 9

    • Debian 10

    Alpine

    • Alpine 2.3

    • Alpine 2.4

    • Alpine 2.5

    • Alpine 2.6

    • Alpine 2.7

    • Alpine 3.1

    • Alpine 3.2

    • Alpine 3.3

    • Alpine 3.4

    • Alpine 3.5

    • Alpine 3.6

    • Alpine 3.7

    • Alpine 3.8

    • Alpine 3.9

    • Alpine 3.10

    • Alpine 3.11

    • Alpine 3.12

    Alpine 3.9

    Amazon Linux

    • Amazon Linux 2

    • Amazon Linux AMI

    None

    Oracle Linux

    • Oracle Linux 5

    • Oracle Linux 6

    • Oracle Linux 7

    • Oracle Linux 8

    None

    SUSE Linux Enterprise Server

    • SUSE Linux Enterprise Server 5

    • SUSE Linux Enterprise Server 6

    • SUSE Linux Enterprise Server 7

    • SUSE Linux Enterprise Server 8

    • SUSE Linux Enterprise Server 9

    • SUSE Linux Enterprise Server 10

    • SUSE Linux Enterprise Server 10 SP4

    • SUSE Linux Enterprise Server 11 SP3

    • SUSE Linux Enterprise Server 12 SP2

    • SUSE Linux Enterprise Server 12 SP5

    None

    Fedora Linux

    • Fedora Linux 2X

    • Fedora Linux 3X

    None

    openSUSE

    • openSUSE 10.0

    • openSUSE Leap 15.2

    • openSUSE Leap 42.3

    None

    Use process

    1. Enable container image scan: If you purchase the container image scan feature, you are charged based on the quota specified by Container Image Scan. You must enable the feature and set Container Image Scan to an appropriate value.

    2. Scan images: Configure the image scan scope based on your business requirements. You can manually initiate an immediate image scan or configure a periodic image scan.

    3. View and handle detected image risks: View the image scan results and handle the risks based on the fixing instructions.

    References