Local Image Security Scan Overview

What Is a Local Image Security Scan?

Local images are stored or running on your container hosts. If they come from user-built repositories without security assurance, or be uploaded by developers without strict security review, they may have vulnerabilities or other risks that harm the production environment.

Local image security scan scans local images to detect security risks such as system vulnerabilities and application vulnerabilities and provides rectification suggestions, helping users reduce risks caused by non-compliant or invalid images.

Local Image Security Scan Principles

HSS embeds scan tools in images to access and parse their file systems, and to perform comprehensive security checks on files and directories. After the check is complete, all check results are summarized and reported to the management console.

Local Image Security Scan Items

The image security scan items are listed in Table 1.

**Table 1** Local image security scan items
Scan Item	Description
Vulnerabilities	System and application vulnerabilities in images. System vulnerability scan supports the following OSs: EulerOS 2.2, 2.3, 2.5, 2.8, 2.9, 2.10, 2.11, 2.12 (64-bit) CentOS 7.4, 7.5, 7.6, 7.7, 7.8 and 7.9 (64-bit) Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04 (64-bit) Debian 9, 10, and 11 (64-bit) Kylin V10, V10 SP1, V10 SP2, and V10 SP3 (64-bit) HCE 1.1 and 2.0 (64-bit) SLES 12 SP5, 15 SP1, and 15 SP2 (64-bit) UnionTech OS V20 server E, V20 server D, 1050u2e, 1050e, 1060e, 1070e (64-bit) Rocky Linux 8.4, 8.5, 8.6, 8.10, 9.0, 9.1, 9.2, 9.4, and 9.5 (64-bit) openEuler 20.03 LTS, 20.03 LTS SP1, 20.03 LTS SP2, 20.03 LTS SP3, 20.03 LTS SP4 openEuler 22.03 LTS, 22.03 LTS SP1, 22.03 LTS SP2, 22.03 LTS SP3, 22.03 LTS SP4 openEuler 24.03 LTS CTyunOS 3-23.01 (64-bit) AlmaLinux 8.4 (64-bit) Application vulnerability scan supports the following applications: Apache, Nginx, Tomcat, Kibana, mongo-express, yapi-cli, easy-mock, nodebb, kafka, rocketmq, Webasyst, KYPHP, CodeIgniter, InitPHP, SpeedPHP, ThinkPHP, OneThink, MySQL, Redis, Oracle, MongoDB, Memcache, PostgreSQL, DB2, Sybase, sshd and vsftpd.
Software Information	Software information in an image.

Scenarios

You can scan images in the production environment when your company or organizations deploy containerized applications.

Constraints

Edition requirement: Only the HSS container edition supports local image security scan. You can scan images for an unlimited number of times. For details about how to purchase and upgrade an HSS edition, see Purchasing an HSS Quota and Upgrading Protection Quotas.
Supported runtime: Only local Linux images in Docker and Containerd can be scanned.
Storage drive requirements:
- Docker: Only the image storage nodes using overlay and overlay2 can be scanned.
- Containerd: Only the image storage nodes using OverlayFS can be scanned.
Image storage path constraints:
- Containerd: All local file system paths can be scanned.
- Docker: By default, only the /var/lib directory is scanned. If the Docker root directory is not under this path, HSS cannot scan images. You are advised to perform image scans on Containerd servers.
Name constraints: The images or versions whose names contain -- cannot be scanned.
To scan the cce-pause/pause image, HSS needs to start the sh/bash process. If the cce-pause/pause container does not have this process, the image scan task will fail. The cce-pause/pause container is a sandbox container. It has only one static compilation process and no vulnerabilities. Therefore, an image scan task failure does not affect services.

Local Image Security Scan Process

Figure 1 Usage process
Click to enlarge

**Table 2** Process description
Operation	Description
Scanning Local Images	After the HSS agent is installed on a cluster node, the agent immediately starts synchronizing local image information to the HSS console. The information is updated every 24 hours. After the local image information is displayed, you can manually scan the images.
Viewing and Handling Local Image Scan Results	View the local image scan results, and fix insecure images and risks, so that they will not harm the production environment.