Updated on 2024-11-15 GMT+08:00

Managing Local Images

You can manually scan local images for vulnerabilities and software information and provides scan reports. This section describes how to perform security scans on local images and view scan reports.

Constraints

  • Only the local images of Docker and Containerd runtimes can be connected to the HSS console.
  • Security scans can be performed only on Linux images.
  • Only the images whose storage drive is OverlayFS or OverlayFS2 can be scanned. Nodes using Device Mapper cannot be scanned.
  • Images whose names or versions are -- cannot be scanned.
  • HSS only has the permission to access the default scan directory /var/run. If Docker Root Dir is not /var/run/, HSS cannot scan images. You are advised to perform image scanning on the Containerd server.
  • To scan the image of the cce-pause/pause container, HSS needs to start the sh/bash process. If the cce-pause/pause container does not have the sh/bash process, the image scan task will fail.

    The cce-pause/pause container is a sandbox container. It has only one static compilation process and does not have vulnerabilities. Therefore, if the image scan task fails, there is no impact.

Viewing Local Images

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Asset Management > Containers & Quota.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  4. Click the Container Images tab and click Local image.

    You can view the name, version, type, and security risks of an image.

    • Viewing information about servers associated with an image

      Click the server name of an image. The associated server list page is displayed. You can view details about the servers associated with the image.

    • Viewing information about containers associated with an image

      Locate the row that contains the target image and click the number in the Associated Containers column. The Associated Containers page is displayed. You can view details about the containers associated with the image.

    • Viewing information about image components

      Locate the row that contains the target image and click the number in the Components column. The Components page is displayed. You can view details about image components.

    • Viewing image security risks

      You can view the number of risky images and click the value to go to the risk details page.

Scanning Local Images

You can choose all images, multiple images, or a single image and manually start a scan. The duration of a security scan depends on the scanned image size. Generally, scanning an image takes shorter than 3 minutes. After the scan is complete, click View Report to check the report.

The following security scan items are supported for local images:

Scan Item

Description

Vulnerability

Detects vulnerabilities in images.

Installed software

Collects software information in an image.

  1. Log in to the management console and go to the HSS page.
  2. In the navigation pane, choose Asset Management > Containers & Quota.
  3. Click the Container Images tab and click Local image.
  4. Performs a security scan for a single image or multiple images.

    • Single image security scan

      In the Operation column of the target image, click Scan to perform security scan.

    • Batch image security scan

      Select all target images and click Scan above the image list to perform security scan for multiple target images.

    • Full image security scan

      Click Scan All above the image list to perform a security scan for all images.

      A full scan takes a long time and cannot be interrupted after it starts. Exercise caution when performing this operation.

  5. In the displayed dialog box, click OK to start the scan job.

    After a full scan task is started, you can move the cursor over the gray Scan All button to view the scan progress.

  6. The image security scan is complete, when the Scan Status changes to Completed and the Latest Scan Completed shows the latest task execution time.

Viewing Local Image Vulnerability Reports and Software Information

  1. Log in to the management console and go to the HSS page.
  2. In the navigation pane, choose Asset Management > Containers & Quota.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  3. Click the Container Images tab and click Local image.
  4. In the Operation column of the target image, click View Report. On the displayed page, view vulnerability reports and software information.

Exporting Local Image Vulnerability Reports

  1. Log in to the management console and go to the HSS page.
  1. In the navigation pane, choose Asset Management > Containers & Quota.
  1. Click the Container Images tab and click Local image.
  2. Click Export Vulnerability above the image list.

    If you want to export the vulnerability report of a specified image, select the image type in the search box and click Export Vulnerability.

  3. View the export status in the upper part of the container management page. After the export is successful, obtain the exported information from the default file download address on the local host.

    Do not close the browser page during the export. Otherwise, the export task will be interrupted.