Updated on 2025-09-08 GMT+08:00

Scanning Repository Images

Scenarios

Repository images can be scanned manually or periodically.

  • Manual scan: Scan one or multiple images to learn their security status in real time.
  • Scheduled scan: Configure a scheduled scan policy to periodically check for image risks. In this mode, only third-party repository images, such as Harbor and Jfrog, can be scanned.

Prerequisites

Constraints

  • SWR shared images can be scanned only if they are valid.
  • Multi-architecture images do not support manual or scheduled scan.

Manually Scanning Repository Images

  1. Log in to the HSS console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Risk Management > Container Images.
  4. In the upper right part of the page, click Scan.

    To scan a single image, you can also click the Image View tab, click Scan in the Operation column of the image.

  5. Click the Repository Images tab and configure parameters. For details, see Table 1.

    Figure 1 Manually scanning repository images
    Table 1 Manual scan parameters

    Parameter

    Description

    Example Value

    Risk Type

    Select the risk types to be scanned for. Options are Vulnerability risk, Baseline, Malicious file, Sensitive information, and Software compliance.

    HSS scans for software information, file information, and base images by default.

    All

    Speed Limit for Third-party Image Repositories

    If you have many third-party images to scan, but do not want the scan to occupy too much bandwidth, you can click to set the number of images to be scanned per hour.

    Unlimited

    Image Scope

    Select All, Specified types of image repositories, or Specific.

    A full scan takes a long time and cannot be stopped once started. Exercise caution when performing this operation.

    All

  6. Confirm the fees and click OK to start the scan.
  1. In the upper right corner of the page, click Manage Task Click the Image Scan tab to view the scan status.
  2. After the image scan task is complete, return to Image View. You can view the scan status of each image. For details, see Table 2.

    Table 2 Risk status

    Status

    Description

    Pending

    The image is not scanned.

    Scanning

    The image is being scanned.

    Succeeded

    The image has been scanned. You can view the scan results.

    Failed

    An error or problem occurred during image scan. As a result, the scan failed.

    To be scanned

    A scan task has been created, and the image is waiting to be scanned.

    Scan terminated

    The scan task has been canceled, and the image scan has been stopped.

Periodically Scanning Repository Images

  1. Log in to the HSS console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Risk Management > Container Images.
  4. In the upper right part of the page, click Scheduled Scan Policy.
  5. Configure scheduled scan parameters, as shown in Scheduled scan policy. For details, see Table 3.

    Figure 2 Scheduled scan policy
    Table 3 Scheduled scan parameters

    Parameter

    Description

    Example Value

    Scheduled Scan Policy

    Whether to enable scheduled scan. After this function is enabled, you can view and configure scheduled scan parameters.

    • : disabled
    • : enabled

    Scheduled Scan Period

    Click to set the scan period. The scan time range is fixed to 00:00:00 - 07:00:00.

    Every 3 days

    Risk Type

    Select the risk types to be scanned for. Options are Vulnerability risk, Baseline, Malicious file, Sensitive information, and Software compliance.

    HSS scans for software information, file information, and base images by default.

    All

    Speed Limit for Third-party Image Repositories

    If you have many images to scan, but do not want the scan to occupy too much bandwidth, click to set the number of images to be scanned per hour.

    Unlimited

    Image Update Time Range

    Select a range of image update time. It determines which images will be scanned.

    For example, if Last 15 days is selected, HSS will only scan the images updated in the last 15 days.

    Last 15 days

    Image Repositories

    Select image repositories.

    Harbor repository image

  6. Confirm the fees and click OK to start the scan.
  1. In the upper right corner of the page, click Manage Task Click the Image Scan tab to view the scan status.
  2. After the image scan task is complete, return to Image View. You can view the scan status of each image. For details, see Table 4.

    Table 4 Risk status

    Status

    Description

    Pending

    The image is not scanned.

    Scanning

    The image is being scanned.

    Succeeded

    The image has been scanned. You can view the scan results.

    Failed

    An error or problem occurred during image scan. As a result, the scan failed.

    To be scanned

    A scan task has been created, and the image is waiting to be scanned.

    Scan terminated

    The scan task has been canceled, and the image scan has been stopped.

Stopping a Scan Task

You can stop a running scan task.

Constraints

The following permissions are required for IAM users to stop a scan:
  • HSS permission: batch image scan (hss:images:set) or container asset management (hss:containers:set) For details, see Using IAM to Grant Access to HSS.
  • Namespace permission (Kubernetes RBAC): the permission for deleting job or cronjob resources in HSS namespaces

Procedure

  1. In the upper right corner of the Container Images page, click Manage Task.
  2. Click the Image Scan tab.
  3. In the Operation column of a task, click Cancel Scan.
  4. If Cancelled is displayed in the Scan Status column of the task, the scan has been canceled.