Help Center/ Host Security Service/ User Guide/ Risk Management/ Container Image Security/ CI/CD Image Security Scan/ CI/CD Image Security Scan Overview
Updated on 2025-12-12 GMT+08:00
View PDF
Share

CI/CD Image Security Scan Overview

What Is CI/CD Image Security Scan?

CI/CD is short for continuous integration and continuous delivery/deployment.

  • Continuous Integration (CI) automatically and continuously integrates code into shared source code.
  • CD consists of continuous delivery and continuous deployment. After continuous integration, continuous delivery verifies the code through automated building and testing to ensure that container images can be delivered at any time. Continuous deployment automatically updates and releases the images to the production environment.

The CI/CD image security scan function of HSS can be integrated into the Jenkins and Huawei CloudCodeArts pipelines. It can implement security scan in the image build phase; identify system vulnerabilities, application vulnerabilities, unsafe settings, malicious files, sensitive files, and software compliance issues in images; and shift security left to the DevOps phase, helping you eliminate security risks as early as possible and preventing unsafe images from being deployed in the production environment.

CI/CD Image Security Scan Principles

You can use the CI/CD image security scan of HSS without synchronizing image assets to HSS. You simply need to integrate the image security scan plug-in in Jenkins and CodeArts Pipeline projects. When you build a project, the image security scan task is automatically triggered to check whether the project has image security risks. The scan result is displayed on the HSS console. You can handle security risks in images in time based on the scan results.

Figure 1 shows the phase where image security scan is configured in Jenkins or CodeArts Pipeline projects.

Figure 1 CI/CD image security scan

CI/CD Image Security Scan Items

Table 1 describes the CI/CD image security scan items checked by HSS.

Table 1 Image scan items

Scan Item

Description

Vulnerabilities

System and application vulnerabilities in images.

  • Only Linux images can be scanned. For details about the Linux distributions and versions that can be scanned, see OSs that Support Vulnerability Scan and Fix.
  • The following applications and middleware can be scanned: log4j, slf4j, Tomcat, apache, jetty, mysql, druid, commons, spring, shiro, struts, struts2, websocket, json, fastjson, xstream, maven, junit, activemq, libintl, ca-certificates-java, httpclient, httpcore, java, javac2, javaee, Apache2, adaptive_server_enterprise, DB2, http_server, Memcached, nginx, PostgreSQL, bootstrap, zookeeper, plexus-utils, and core.

Malicious Files

Malicious files in images.

Software Information

Software information in an image.

File Information

File information in an image.

Baseline Check
  • Unsafe configuration:
    • Images configurations of CentOS 7, Debian 10, EulerOS, and Ubuntu16
    • SSH configurations
  • Weak passwords of Linux (SSH) accounts
  • Password complexity: insecure password complexity policies in Linux

Sensitive Information

Files that contain sensitive information in images.

  • The paths that are not checked by default are as follows:
    • /usr/*
    • /lib/*
    • /lib32/*
    • /bin/*
    • /sbin/*
    • /var/lib/*
    • /var/log/*
    • AnyPath/node_modules/AnyPath/AnyName.md
    • AnyPath/node_modules/AnyPath/test/AnyPath
    • */service/iam/examples_test.go
    • AnyPath/grafana/public/build/AnyName.js
    NOTE:
    • AnyPath: indicates that the current path is a customized value and can be any path in the system.
    • AnyName: indicates that the file name in the current path is a customized value, which can be any name ended with .md or .js in the system.
    • On the View Report > Sensitive Information tab, click Configure Sensitive File Path to set the Linux file paths that do not need to be checked. A maximum of 20 paths can be added.
  • No checks are performed in the following scenarios:
    • The file size is greater than 20 MB.
    • The file type is binary, common process, or auto generation.

Software Compliance

Whether software and patch packages contain components that may cause security, compliance, or privacy issues.

Examples:

  • Third-party network sniffing and debugging tools: tcpdump, gdb, strace, readelf, and Nmap
  • Development or compilation tools: Dev-cpp, gcc, and mirror

Base Images

Check the basic image information used by the service image, including the basic image name, version, and image layer path.

A base image is the starting point for building other images. It is a minimal image that contains core OS files, runtimes, or basic tools. All service images are built by adding new layers to the base image. Common base images include Ubuntu, Alpine Linux, CentOS, Debian, and Fedora.

Unsafe Image Building Instructions

Check the risks in image building instructions. For example, the following instructions in Dockerfiles are regarded unsafe:

  • The COPY command contains more than two parameters, but does not end with a slash (/).
  • Run an application as the root user.
  • Use ADD instead of COPY.
  • Exposed port 22.

Scenario

  • Scanning a local image

    After an image is built, a security scan is performed on it. If the image has security risks, the pipeline can be blocked, so that it will not be pushed to the production image repository.

  • Scanning a remote image repository

    A remote image repository is a remote test repository pushed after an image is built. A security scan is performed on the image in the remote test repository. If no risks are found, the image can be pushed to the production image repository. If risks are found, the pipeline can be blocked.

Constraints

  • To scan repository images, enable pay-per-use container image scans. This feature does not depend on any HSS edition. For details, see Enabling Pay-per-use Container Image Scan.
  • CI/CD image scans are supported only for Jenkins and CodeArts pipelines.
    Jenkins configuration restrictions are as follows:
    • Hardware restrictions:
      • Jenkins compilation and building server: Linux server, x86 or Arm 64-bit
      • CPU: 1 or more cores
      • Memory: 2 GB or more
      • Disk space: 60 GB or higher
    • Technical restrictions:
      • Jenkins version: Jenkins 2.x
      • JDK version: JDK 17 or later
      • Docker version: Docker 18.09 or later
  • To perform a remote image scan, the image repository must support interaction through Docker Registry HTTP API v2.

CI/CD Image Security Scan Process

Figure 2 Usage process
Table 2 Usage process

Operation

Description

Integrating Image Security Scan in CI/CD.

Generate an image security scan command based on image information and add the command to the Jenkins or CodeArts pipeline.

Enabling Pay-per-use Container Image Scan

Enable pay-per-use scan for CI/CD images.

Viewing and Handling CI/CD Image Scan Results

View the CI/CD image security scan results. Check and eliminate security risks to prevent insecure images from entering the production environment.
Parent Topic: CI/CD Image Security Scan