Scanning Repository Images
Scenarios
Repository images can be scanned manually or periodically.
- Manual scan: Scan one or multiple images to learn their security status in real time.
- Scheduled scan: Configure a scheduled scan policy to periodically check for image risks. In this mode, only third-party repository images, such as Harbor and Jfrog, can be scanned.
Prerequisites
- You have enabled the pay-per-use container image scan. You will be paid per image per scan. For details, see Enabling Pay-per-use Container Image Scan.
- You have connected your third-party image repositories (if any) to HSS. For details, see Connecting to a Third-party Image Repository.
Constraints
- SWR shared images can be scanned only if they are valid.
- Multi-architecture images do not support manual or scheduled scan.
Manually Scanning Repository Images
- Log in to the HSS console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Risk Management > Container Images.
- In the upper right part of the page, click Scan.
To scan a single image, you can also click the Image View tab, click Scan in the Operation column of the image.
- Click the Repository Images tab and configure parameters. For details, see Table 1.
Figure 1 Manually scanning repository images
Table 1 Manual scan parameters Parameter
Description
Example Value
Risk Type
Select the risk types to be scanned for. Options are Vulnerability risk, Baseline, Malicious file, Sensitive information, and Software compliance.
HSS scans for software information, file information, and base images by default.
All
Speed Limit for Third-party Image Repositories
If you have many third-party images to scan, but do not want the scan to occupy too much bandwidth, you can click
to set the number of images to be scanned per hour.
Unlimited
Image Scope
Select All, Specified types of image repositories, or Specific.
A full scan takes a long time and cannot be stopped once started. Exercise caution when performing this operation.
All
- Confirm the fees and click OK to start the scan.
- In the upper right corner of the page, click Manage Task Click the Image Scan tab to view the scan status.
- After the image scan task is complete, return to Image View. You can view the scan status of each image. For details, see Table 2.
Table 2 Risk status Status
Description
Pending
The image is not scanned.
Scanning
The image is being scanned.
Succeeded
The image has been scanned. You can view the scan results.
Failed
An error or problem occurred during image scan. As a result, the scan failed.
To be scanned
A scan task has been created, and the image is waiting to be scanned.
Scan terminated
The scan task has been canceled, and the image scan has been stopped.
Periodically Scanning Repository Images
- Log in to the HSS console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Risk Management > Container Images.
- In the upper right part of the page, click Scheduled Scan Policy.
- Configure scheduled scan parameters, as shown in Scheduled scan policy. For details, see Table 3.
Table 3 Scheduled scan parameters Parameter
Description
Example Value
Scheduled Scan Policy
Whether to enable scheduled scan. After this function is enabled, you can view and configure scheduled scan parameters.
: disabled
: enabled
Scheduled Scan Period
Click
to set the scan period. The scan time range is fixed to 00:00:00 - 07:00:00.
Every 3 days
Risk Type
Select the risk types to be scanned for. Options are Vulnerability risk, Baseline, Malicious file, Sensitive information, and Software compliance.
HSS scans for software information, file information, and base images by default.
All
Speed Limit for Third-party Image Repositories
If you have many images to scan, but do not want the scan to occupy too much bandwidth, click
to set the number of images to be scanned per hour.
Unlimited
Image Update Time Range
Select a range of image update time. It determines which images will be scanned.
For example, if Last 15 days is selected, HSS will only scan the images updated in the last 15 days.
Last 15 days
Image Repositories
Select image repositories.
Harbor repository image
- Confirm the fees and click OK to start the scan.
- In the upper right corner of the page, click Manage Task Click the Image Scan tab to view the scan status.
- After the image scan task is complete, return to Image View. You can view the scan status of each image. For details, see Table 4.
Table 4 Risk status Status
Description
Pending
The image is not scanned.
Scanning
The image is being scanned.
Succeeded
The image has been scanned. You can view the scan results.
Failed
An error or problem occurred during image scan. As a result, the scan failed.
To be scanned
A scan task has been created, and the image is waiting to be scanned.
Scan terminated
The scan task has been canceled, and the image scan has been stopped.
Stopping a Scan Task
You can stop a running scan task.
Constraints
- HSS permission: batch image scan (hss:images:set) or container asset management (hss:containers:set) For details, see Using IAM to Grant Access to HSS.
- Namespace permission (Kubernetes RBAC): the permission for deleting job or cronjob resources in HSS namespaces
Procedure
- In the upper right corner of the Container Images page, click Manage Task.
- Click the Image Scan tab.
- In the Operation column of a task, click Cancel Scan.
- If Cancelled is displayed in the Scan Status column of the task, the scan has been canceled.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot