Repository Image Security Scan Overview

What Is a Repository Image Security Scan?

The images stored in container image repositories (such as Harbor and SWR) can be shared within or between organizations.

Automatic scans on repository images help you identify and fix vulnerabilities, malware, and other security risks, so that insecure images will not be used in the production environment.

Repository Image Security Scan Principles

HSS can scan images in SWR and third-party repositories.

SWR image security scan
HSS uses an image scan component to obtain the basic image information and image configuration file (such as the manifest file), and to identify image layers. The layers are downloaded to the HSS cluster and decompressed one by one for scan.
Third-party repository image security scan
To connect a third-party image repository to HSS for scan, provide the repository information and login credentials, upload the image scan component to the repository, and create a scan task in the repository cluster. HSS obtains the basic image information and configuration file (such as the manifest file) based on the information you provided, and identifies image layers. The layers are downloaded to the repository cluster and decompressed one by one for scan.

Repository Image Security Scan Items

The image security scan items are listed in Table 1.

**Table 1** Image scan items
Scan Item	Description
Vulnerabilities	System and application vulnerabilities in images. The following OSs can be scanned: EulerOS 2.2, 2.3, 2.5, 2.8, 2.9, 2.10, 2.11, 2.12 (64-bit) CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.1, 8.2 (64-bit) Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04 (64-bit) Debian 9, 10, 11, 12 (64-bit) Kylin V10, V10 SP1, V10 SP2, and V10 SP3 (64-bit) HCE 1.1 and 2.0 (64-bit) SLES 12 SP5, 15 SP1, and 15 SP2 (64-bit) UnionTech OS V20 server E, V20 server D, 1050u2e, 1050e, 1060e, 1070e (64-bit) Rocky Linux 8.4, 8.5, 8.6, 8.10, 9.0, 9.1, 9.2, 9.4, 9.5 (64-bit) openEuler 20.03 LTS, 20.03 LTS SP1, 20.03 LTS SP2, 20.03 LTS SP3, 20.03 LTS SP4 openEuler 22.03 LTS, 22.03 LTS SP1, 22.03 LTS SP2, 22.03 LTS SP3, 22.03 LTS SP4 openEuler 24.03 LTS CTyunOS 3-23.01 (64-bit) AlmaLinux 8.4 (64-bit) Oracle Enterprise Linux 7, 8, 9 (64-bit) Red Hat Enterprise Linux 7, 8, 9 (64-bit) The following applications and middleware can be scanned: log4j, slf4j, Tomcat, apache, jetty, mysql, druid, commons, spring, shiro, struts, struts2, websocket, json, fastjson, xstream, maven, junit, activemq, libintl, ca-certificates-java, httpclient, httpcore, java, javac2, javaee, Apache2, adaptive_server_enterprise, DB2, http_server, Memcached, nginx, PostgreSQL, bootstrap, zookeeper, plexus-utils, and core.
Malicious Files	Malicious files in images.
Software Information	Software information in an image.
File Information	File information in an image.
Baseline Check	Unsafe configuration: Images configurations of CentOS 7, Debian 10, EulerOS, and Ubuntu16 SSH configurations Weak passwords of Linux (SSH) accounts Password complexity: insecure password complexity policies in Linux
Sensitive Information	Files that contain sensitive information in images. The paths that are not checked by default are as follows: /usr/* /lib/* /lib32/* /bin/* /sbin/* /var/lib/* /var/log/* AnyPath/node_modules/AnyPath/AnyName.md AnyPath/node_modules/AnyPath/test/AnyPath /service/iam/examples_test.go AnyPath/grafana/public/build/AnyName.js NOTE: AnyPath: indicates that the current path is a customized value and can be any path in the system. AnyName: indicates that the file name in the current path is a customized value, which can be any name ended with .md or .js in the system. On the View Report* > Sensitive Information tab, click Configure Sensitive File Path to set the Linux paths of the file that do not need to be checked. A maximum of 20 paths can be added. No checks are performed in the following scenarios: The file size is greater than 20 MB. The file type is binary, common process, or auto generation.
Software Compliance	Whether software and patch packages contain components that may cause security, compliance, or privacy issues. Examples: Third-party network sniffing and debugging tools: tcpdump, gdb, strace, readelf, and Nmap Development or compilation tools: Dev-cpp, gcc, and mirror
Base Images	Check the basic image information used by the service image, including the basic image name, version, and image layer path. A base image is the starting point for building other images. It is a minimal image that contains core OS files, runtimes, or basic tools. All service images are built by adding new layers to the base image. Common base images include Ubuntu, Alpine Linux, CentOS, Debian, and Fedora.
Unsafe Image Building Instructions	Check the risks in image building instructions. For example, the following instructions in Dockerfiles are regarded unsafe: The COPY command contains more than two parameters, but does not end with a slash (/). Run an application as the root user. Use ADD instead of COPY. Exposed port 22.

Scenarios

Scan images across clouds.
In multi-cloud scenarios, security tools or solutions may vary depending on cloud platforms, making it difficult to enhance security in a unified manner. Our scans can check repository images both inside and outside the cloud. You can perform scans and apply unified security policies across clouds, reducing O&M costs.
Prevent unsafe images from entering the production environment.
Before images are deployed in the production environment, scan for and fix vulnerabilities and malicious files to ensure image security upon deployment.

Constraints

To scan repository images, enable pay-per-use container image scans. This feature does not depend on any HSS edition. For details, see Enabling Pay-per-use Container Image Scan.
Only Linux images can be scanned.
Prerequisites for scanning a third-party image repository:
1. The repository cluster (cluster where the repository is deployed) has been connected to HSS and is in the Running state. For details, see Overview of Agent Installation in a Cluster.
  You can connect to the following third-party cloud cluster service providers: Alibaba Cloud, Tencent Cloud, AWS, Microsoft Azure, user-built clouds, and user-built IDCs.
2. The third-party image repository has been connected to HSS. For details, see Connecting to a Third-party Image Repository.
  Harbor and JFrog image repositories are supported.

Repository Image Security Scan Process

Figure 1 Usage process
Click to enlarge

**Table 2** Process description
Operation	Description
Connecting to a Third-party Image Repository	You can connect Harbor and JFrog repositories to HSS to scan for and handle their image risks.
Enabling Pay-per-use Container Image Scan	Enable pay-per-use scan for repository images.
(Optional) Synchronizing Repository Images	If the image list of your repository is updated, you can synchronize the latest image list to HSS.
Scanning Repository Images	Perform a manual scan or configure a scheduled scan to identify risks in repository images.
Viewing and Handling Repository Image Scan Results	View the repository image security scan results. Check and eliminate security risks to prevent insecure images from entering the production environment.