Configure the scope and rules of image scans and perform image scans - Security Center

Security Center provides the container image scan feature. You can use the feature to check whether vulnerabilities, baseline risks, malicious samples, and sensitive files exist in your images. This ensures a secure runtime environment for your images. This topic describes how to scan images.

Prerequisites

The Enterprise, Advanced, or Ultimate edition of Security Center is purchased, or Security Center is upgraded to the Enterprise, Advanced, or Ultimate edition. The Container Image Scan parameter is set to an appropriate value. The value specifies the quota for the container image scan feature. For more information, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that are supported by each edition, see Functions and features.
A Container Registry Enterprise Edition instance is purchased or a third-party image repository is added to Security Center. For more information, see Create a Container Registry Enterprise Edition instance and Add image repositories to Security Center.

Background information

Vulnerabilities may exist in the basic system software, middleware, web applications, and databases that are in your images. The vulnerabilities include mining trojans and backdoor programs, which pose threats to your assets.

Security Center can scan images to detect image system vulnerabilities, image application vulnerabilities, image baseline risks, malicious samples in images, sensitive files in images, and risks in image build commands. For more information, see Items that can be detected.

Usage notes

Supported image repository: Security Center can scan image repositories that are created in a Container Registry Enterprise Edition instance and Harbor and Quay image repositories that are added to Security Center. For more information, see Create a Container Registry Enterprise Edition instance and Add image repositories to Security Center.
Scan scope: By default, Security Center uses all check items to scan all added image repositories. If you have specific business requirements, you can configure the scan scope. The scan scope configurations include image repositories, baseline check items, the vulnerability whitelist, the whitelist of sensitive file types, and the whitelist of at-risk files. For more information, see Step 1: Configure the image scan scope.
Scan method: Immediate and periodic image scans are supported. For more information, see Manually initiate an immediate image scan and Configure a periodic image scan.
The system scans images based on the scan scope settings regardless of the scan method that you use.
Resource consumption for image scan: Security Center identifies an image based on a unique digest value. If the digest value of an image does not change, the quota for the container image scan feature is deducted by one only for the first scan. If the digest value of an image changes and the image is rescanned, the scan on the image is deducted again from the quota specified by the Container Image Scan parameter. The quota decreases by one each time the digest value changes.
Before you scan images, make sure that you have a sufficient quota for the container image scan feature. For more information, see Enable container image scan.
Scan duration: To ensure the stability of image scan tasks, Security Center sets the maximum period for each image scan task to 4 hours. You cannot change the duration. After 4 hours, the task is automatically stopped regardless of whether unscanned image repositories still exist.
Note
Before you perform an image scan task, we recommend that you specify the required image repositories. If you specify a Harbor image repository, you can configure the Speed Limit parameter to improve the image scan efficiency. For more information, see the Manage image repositories section in this topic.

Step 1: Configure the image scan scope

The settings in this section take effect on immediate and periodic image scans.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
In the upper-right corner of the Image Security page, click Scan Settings.

In the Scan Settings panel, click the tabs to configure the image scan scope.

Configure the image scan settings

In the Scan Settings panel, click the Scan Configuration tab and configure the parameters.

Parameter	Description
Consumed Quota/Purchased Quota	The number of image scans that are performed and the total number of image scans that are allowed. If the number of image scans that are allowed is near exhaustion, you can click Scale Out to configure the Quantity field for the Container Image Scan parameter on the Order Upgrade page.
Scan cycle	The cycle at which you want to scan your images. This parameter takes effect only on periodic image scans.
Scan Scope	The scope of image repositories that you want to scan. To select the scope, perform the following steps: Click Manage to the right of Scan Scope. In the Image Management dialog box, select the image repository that you want to scan. By default, Automatically Adds New Image Repositories for Scan is turned on in the upper-right corner of the image repository list in this dialog box. This indicates that the system automatically adds new image repositories to the scan scope for periodic image scans. You can click the icon to turn off the switch. Click OK.
Scan Time Range	The time range for the images that you want to scan. Important The last update time of an image is used to evaluate whether the image meets the specified time range condition. If an image is not updated, the creation time of the image is used to evaluate whether the image meets the specified time range condition. If you set this parameter to Last 7 days, Security Center scans the images that are updated within the last seven days. The images that are updated seven days ago or earlier are not scanned.
Vulnerability retention duration	The retention period for image vulnerabilities that are detected by periodic image scans. Security Center automatically deletes detected vulnerabilities after the specified retention period ends.

Manage image repositories

You can click the Image Repository tab to view the list of image repositories that can be scanned. The list displays image repositories that are created in Container Registry Enterprise Edition instances and are of the acr type, and third-party image repositories that are added to Security Center. The third-party image repositories are of the harbor and quay types.

Note

Security Center automatically adds Container Registry Enterprise Edition instances within the current Alibaba Cloud account to the image repository list. You cannot remove the Container Registry Enterprise Edition instances from the image repository list.
You can click Task Management in the upper-right corner of the Image Security page. Then, view the progress and details of asset synchronization on the Container Asset Synchronization and Synchronize Image Asset tabs.

If the third-party image repositories that you want to scan are not displayed on the Image Repository tab, click Add Image Repository to go to the Add Image Repository panel and add your third-party image repositories to Security Center. For more information, see Add image repositories to Security Center.
If a third-party image repository that you do not want to scan is displayed on the Image Repository tab, click Remove in the Actions column of the image repository. In the message that appears, click OK to remove the image repository.
Note
The default image repositories that are displayed on the Image Repository tab cannot be deleted. The types of the default image repositories are acr and defaultAcr.
If you want to scan an image repository of the harbor type, you can specify the speed for image scans. To specify the speed for image scans, click Edit in the Actions column of the image repository. In the panel that appears, configure the Speed Limit parameter to improve the image scan efficiency. The Speed Limit parameter indicates the number of images that can be scanned within 1 hour. The default value is 10.
If you retain the default value and the image repository of the harbor type contains 200 images, the image scan task requires 20 hours to complete. However, the maximum period for each image scan task is 4 hours. This means that not all images in the image repository are scanned. If you set the Speed Limit parameter to 200, the scan task requires 1 hour to complete. You can configure the Speed Limit parameter based on your business requirements and network conditions.

Configure baseline checks for images

After you configure the settings to scan for image vulnerabilities, you can also configure the baseline checks of the images.

In the Scan Settings panel, click the Baseline Configuration Management tab.
Click Manage to the right of Configuration Scope.
In the Baseline Check Scope panel, select the required check items and click OK.
Important
The Access Key plaintext storage and Password leakage check items in the Baseline Check Scope panel are equivalent to the AccessKey Leak Detection and Password Leak Detection parameters on the Baseline Configuration Management tab. If you select Access Key plaintext storage and Password leakage in the Baseline Check Scope panel, the switches for the AccessKey Leak Detection and Password Leak Detection parameters on the Baseline Configuration Management tab are automatically turned on. No manual operation is required. You can also turn on or turn off the switches to enable or disable the baseline checks.

After you click Immediate Scan or when a periodic scan task that you configured starts, Security Center scans your images and checks the baseline configurations of your images based on the preceding configurations.

Immediately run a container runtime image scan

The container runtime image scan feature allows you to identify security risks during container runtime.

Important

The feature supports only manual scan tasks.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
In the upper-right corner of the Image Security page, click Scan Settings.
In the Scan Settings panel, click the Configurations of Container Runtime Scan tab.
Click Configure Scan Scope. In the dialog box that appears, select the required cluster and the name of the application that you want to scan, and click OK.
Click Immediate Scan.

After you click Immediate Scan, you can click Task Management in the upper-right corner of the Image Security page. In the Task Management panel, click the Container Runtime Image Scan tab to view the scan progress. After the scan is complete, you can view the detected vulnerabilities on the Image Vulnerability tab of the Image Security page.

Configure sensitive file scans for images

The sensitive file scan feature allows you to detect sensitive data in common sensitive files and custom image files. The feature supports various types of common sensitive files, including application configurations that contain sensitive information, general private keys of certificates, credentials for application authentication or logons, and credentials for cloud server providers. You can handle the sensitive data that is detected at the earliest opportunity to improve the security of the image runtime environment.

Important

Only static image scan is supported. Runtime sensitive file scans are not supported.

In the Scan Settings panel, click the Sensitive File Scan Settings tab.
Click Manage to the right of Configuration Scope.
In the Sensitive File Scan Settings panel, select the required check items.
Turn on or turn off Enable Sensitive File Detection.
If you turn on Enable Sensitive File Detection, a sensitive file scan task immediately starts after you click Immediate Scan or when a periodic scan task that you configured starts.

Configure the whitelist of at-risk files

If you do not want the system to scan an image file, an image build command, or an image sample, you can add the alert types that correspond to sensitive information, image build risks, or malicious image samples to the whitelist. This way, the system does not detect risks that can trigger alerts in the whitelist.

Note

The Configure Whitelist for At-risk Files tab displays the types of alerts and image repositories that are added to the whitelist and are displayed on the Malicious Image Sample, Sensitive Image File, and Image Build Command Risks tabs on the Image Security page. For more information, see Handle detected image risks.
The first time you use the container image scan feature, you cannot configure the whitelist of at-risk files.

In the Scan Settings panel, click the Configure Whitelist for At-risk Files tab.
Manage the whitelist of at-risk files.
- Modify a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find an alert type, click Edit in the Actions column, and then select All Image Repositories or Current Image Repository Only as the whitelist scope.
- Delete a whitelist rule: On the Sensitive File, Container Build, or Malicious Sample tab, find an alert type and click Delete in the Actions column to remove the alert type from the whitelist. Then, Security Center can detect risks that trigger the alert.

Configure image risk fixing

Security Center supports automatic fixing of system vulnerabilities for image repositories that are created in a Container Registry Enterprise Edition instance. You can enable automatic fixing, and configure the fixing cycle and image repositories whose vulnerabilities you want to fix.

In the Scan Settings panel, click the Image Risk Fixing Configuration tab.
Turn on or turn off Fixing Configuration to enable or disable automatic fixing.
If you turn on Fixing Configuration, you can configure the Fixing Period, Fixing Scope, and Time Range parameters. The Fixing Scope parameter specifies the image repositories in a Container Registry Enterprise Edition instance whose vulnerabilities you want to fix. The vulnerabilities of the images that are updated within the period of time specified by the Time Range parameter are fixed.
Important
The last update time of an image is used to evaluate whether the image meets the specified time range condition. If an image is not updated, the creation time of the image is used. If you set the Time Range parameter to 7 days, Security Center fixes vulnerabilities for the images that are updated within the last seven days. Security Center does not fix vulnerabilities for the images that are updated seven days ago or earlier.
After you click Immediate Scan or when a periodic scan task that you configure starts, Security Center detects and fixes system vulnerabilities on your images based on the fixing cycle that you specify.
You can click Task Management in the upper-right corner of the Image Security page. In the Task Management panel, view the fixing progress of system vulnerabilities on the Image Risk Fixing tab.

Configure the vulnerability whitelist

If you do not want to scan for an image vulnerability, you can add the vulnerability to the vulnerability whitelist. Security Center does not detect the vulnerabilities in the vulnerability whitelist.

In the Scan Settings panel, click the Vulnerability Whitelist Settings tab.
Manage the vulnerability whitelist.
- Create a vulnerability whitelist rule: Click Create Rule. In the Create Rule panel, configure a whitelist rule based on a specified vulnerability type.
- Modify a vulnerability whitelist rule: Find the required whitelist rule and click Edit in the Actions column. In the Edit panel, modify the Rule scope, Select Image, and Note parameters.
- Delete a vulnerability whitelist rule: Find the required whitelist rule and click Delete in the Actions column. Then, Security Center detects the vulnerability that is removed from the whitelist and generates alerts for the vulnerability.

Click the icon in the upper-right corner of the Scan Settings panel to close the panel.

Step 2: Start an image scan

After you configure the image scan scope, immediate image scans and periodic image scans are performed based on the configurations in the Scan Settings panel.

Manually initiate an immediate image scan

To immediately scan images, perform the following operations:

Note

If you click Immediate Scan, all image repositories that are added to Security Center are automatically scanned. You can configure the scan scope in the Scan Settings panel and initiate an immediate scan. The configurations of the scan scope include the image repositories that you want to scan, settings of container runtime image scan, and settings of the vulnerability whitelist. For more information, see the Step 1: Configure the scan scope section in this topic.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
On the Image Security page, click Immediate Scan.
By default, all types of images are selected in the Quick Scan dialog box. You can clear the types of images that you do not want to scan and click OK.
The following types are supported:
- acr: If you select this type, Security Center checks whether risks exist in the Container Registry Enterprise Edition instances that you created in the Container Registry console.
- harbor and quay: If you select the harbor and quay types, Security Center checks whether risks exist in the third-party image repositories that are added to Security Center.
- container runtime: If you select this type, Security Center immediately runs a container runtime image scan based on your settings.
You can also click Configure Scan Scope. In the Scan Settings panel, configure the image scope and repeat the preceding steps to go to the Quick Scan dialog box. For more information, see the Step 1: Configure the image scan scope section in this topic.

Approximately 1 minute is required to generate the image scan result. You can refresh the page after 1 minute and view the scan result on the tabs of the Image Security page.

Configure a periodic image scan

By default, Security Center automatically scans your container assets for image vulnerabilities and malicious samples based on the scan cycle that you specify in the Scan Settings panel. To modify the scan cycle for image vulnerabilities, perform the following operations:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
In the upper-right corner of the Image Security page, click Scan Settings.
In the Scan Settings panel, click the Scan Configuration tab, modify the Scan Cycle parameter, and then close the panel.

Then, Security Center scans your images for image vulnerabilities based on the scan cycle that you specify. For more information, see the Step 1: Configure the image scan scope section in this topic.

Step 3: View the progress and status of an image scan task

In the upper-right corner of the Image Security page, click Task Management.
In the Task Management panel, click the Image Scan tab.
In the task list, find the required task and view its progress and status, and click Details in the Actions column to view the execution logs of the task.
The logs record information about the image on which the task failed and the cause of the failure.

What to do next

After Security Center scans your images, you can view the image scan results. For more information, see View and handle detected image risks.