Viewing and Handling CI/CD Image Scan Results

Scenarios

To perform CI/CD image security scans, access CI/CD first. For details, see Accessing CI/CD.

After CI/CD is accessed, HSS will check image security during project building in Jenkins Pipeline, and display the scan results on the HSS console. It can help you identify and eliminate image security risks in a timely manner.

HSS can present image security statistics in the risk view and image view, helping you comprehensively learn, locate, and fix image risks.

• Risk view: View all the scan results of a risk, for example, a system vulnerability, application vulnerability, malicious file, unsafe setting, sensitive information risk, or software compliance issue.
• Image view: View the scan results of an image. The results include system vulnerabilities, application vulnerabilities, malicious files, software information, file information, unsafe baseline settings, sensitive information, software compliance, and base image information.

Viewing and Handling CI/CD Image Scan Results in the Risk View

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
3. In the navigation pane on the left, choose Risk Management > Container Images.
4. On the Risk View tab page, click a risk sub-tab, and select CI/CD Images from the drop-down list. Check and handle scan results. For details, see Table 1.

   Image names are not displayed for some risks. You can export risk results to obtain these image names and image tags.

   Table 1 Image scan results

   Risk Type	Description
   Vulnerability risks (system and application vulnerabilities)	Results of OS and application vulnerability scans. Click a vulnerability notice name to go to the vulnerability details page. You can view the notice details, CVE details (for only system vulnerabilities), suggestions, and affected images. You can fix the vulnerability based on the suggestions.
   Malicious Files	Results of malicious image file scans, including the file names, paths, file sizes, image types, affected images, and image tags. You can locate and remove malicious files accordingly.

Viewing and Handling CI/CD Image Scan Results in the Image View

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
3. In the navigation pane on the left, choose Risk Management > Container Images.
4. Click the Image View tab.
5. Click the CI/CD Images sub-tab. View CI/CD images.
6. In the Operation column of an image, click View Results to go to the image details page.
7. View and handle risk scan results. For details, see Table 2.

   Table 2 Image scan results

   Risk Type	Description
   Vulnerability Reports	Results of OS and application vulnerability scans. Basic vulnerability information Click a vulnerability name to go to its details page. View the vulnerability description, urgency, and affected images. Solution System vulnerabilities Upgrade the software affected by the vulnerability. Click To upgrade the affected software to go to the security notice details page. View the affected components, CVE, and more information. Application vulnerabilities Hover the cursor over the solution description of a vulnerability to view the solution. To install a patch, access the patch installation guide link provided in the solution, and install the patch accordingly.
   Malicious Files	Scan results of malicious image files, including the file names, paths, and file sizes. You can locate and remove malicious files accordingly.
   Software Information	Statistical results of image software, including the software names, types, versions, and number of software vulnerabilities. Click next to a software name to view its vulnerabilities, urgency, and solutions.
   File Information	Statistical results of image files, including their file names, paths, and sizes. You can check and remove abnormal files accordingly.
   Baseline Inspection	Results of image baseline checks, including the configuration check, password complexity policy check, and common weak password check. You can perform operations based on the check type: Unsafe settings View unsafe settings and suggestions. Click a baseline name to view check items. In the Check Item column of a check item, click View Details. Check the item description and suggestions. Password complexity policies Fix unsafe settings in password complexity policies. Common weak passwords The names and types of accounts using weak passwords are displayed. Log in to the accounts and set strong passwords for them. To let HSS scan for user-defined weak passwords, perform the following operations: Click Common Weak Password Detection and click Manage Weak Password. Configure weak passwords and click OK.
   Sensitive Information	Sensitive image information, including risk levels, image paths, file paths, and sensitive information. To exclude certain paths from the sensitive file scan, choose Exclude Path from Scan and add the paths. Only Linux system file paths can be specified. Up to 20 paths are allowed. Put each path on a separate line. Example: /usr/ or /lib/test.txt.
   Software Compliance	Non-compliant image software, including the software names, versions, paths, and image layers.
   Base Images	Scan results of the base image scan used by a service image. The results include the image name, version, and image layer path.

Related Operations

For details about how to add or modify the vulnerability blacklist, vulnerability whitelist, or image whitelist, see Editing the Blacklist or Whitelist.