Help Center/ Host Security Service/ User Guide/ Risk Management/ Container Image Security/ Local Image Security Scan/ Local Image Security Scan Overview
Updated on 2025-09-17 GMT+08:00
View PDF
Share

Local Image Security Scan Overview

What Is a Local Image Security Scan?

Local images are stored or running on your container hosts. If they come from user-built repositories without security assurance, or be uploaded by developers without strict security review, they may have vulnerabilities or other risks that harm the production environment.

Local image security scan scans local images to detect security risks such as system vulnerabilities and application vulnerabilities and provides rectification suggestions, helping users reduce risks caused by non-compliant or invalid images.

Local Image Security Scan Principles

HSS embeds scan tools in images to access and parse their file systems, and to perform comprehensive security checks on files and directories. After the check is complete, all check results are summarized and reported to the management console.

Local Image Security Scan Items

The image security scan items are listed in Table 1.

Table 1 Local image security scan items

Scan Item

Description

Vulnerabilities

System and application vulnerabilities in images.

  • System vulnerability scan supports the following OSs:
    • EulerOS 2.2, 2.3, 2.5, 2.8, 2.9, 2.10, 2.11, 2.12 (64-bit)
    • CentOS 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.1, 8.2 (64-bit)
    • Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04 (64-bit)
    • Debian 9, 10, 11, 12 (64-bit)
    • Kylin V10, V10 SP1, V10 SP2, and V10 SP3 (64-bit)
    • HCE 1.1 and 2.0 (64-bit)
    • SLES 12 SP5, 15 SP1, and 15 SP2 (64-bit)
    • UnionTech OS V20 server E, V20 server D, 1050u2e, 1050e, 1060e, 1070e (64-bit)
    • Rocky Linux 8.4, 8.5, 8.6, 8.10, 9.0, 9.1, 9.2, 9.4, 9.5 (64-bit)
    • openEuler 20.03 LTS, 20.03 LTS SP1, 20.03 LTS SP2, 20.03 LTS SP3, 20.03 LTS SP4
    • openEuler 22.03 LTS, 22.03 LTS SP1, 22.03 LTS SP2, 22.03 LTS SP3, 22.03 LTS SP4
    • openEuler 24.03 LTS
    • CTyunOS 3-23.01 (64-bit)
    • AlmaLinux 8.4 (64-bit)
    • Oracle Enterprise Linux 7, 8, 9 (64-bit)
    • Red Hat Enterprise Linux 7, 8, 9 (64-bit)
  • Applications that can be scanned: Apache, Nginx, Tomcat, WebLogic, WebSphere, JBoss, WildFly, Jetty, Kibana, Mongo Express, Yapi-cli, Easy Mock, NodeBB, Kafka, RocketMQ, Webasyst, KYPHP, CodeIgniter, InitPHP, SpeedPHP, ThinkPHP, OneThink, Gin, Beego, Fasthttp, Iris, Echo, Django, Flask, Tornado, web.py, web2py, MySQL, Redis, Oracle, MongoDB, Memcached, PostgreSQL, HBase, DB2, Sybase, Dameng database management system, and KingbaseES database management system, SSHD, vsftpd, Jenkins, Zabbix, Discuz!, ThinkCMF, Struts, Struts2, Spring, Hibernate, WebWork, Quartz, Velocity, Turbine, Freemarker, Flexive, Stripes, Vaadin, Vert.x, Wicket, ZKoss, Jackson, FastJSON, Shiro, MyBatis, Jersey, JFinal, PHPMailer, PHPMyAdmin, DedeCMS, WordPress, BigTree, and JPress

Software information

Software information in an image.

Scenarios

You can scan images in the production environment when your company or organizations deploy containerized applications.

Constraints

  • Edition requirement: Only the HSS container edition supports local image security scan. You can scan images for an unlimited number of times. For details about how to purchase and upgrade an HSS edition, see Purchasing an HSS Quota and Upgrading Protection Quotas.
  • Runtime environments that can be scanned: Linux local images of Docker, containerd, Podman, CRI-O, and iSulad. For CRI-O only independent nodes are supported.
  • Storage drives: overlay, overlay2, devicemapper, zfs, and btrfs.
  • Restrictions on the image storage paths: If the storage drive is overlay, overlay2, devicemapper, or zfs, all local file system paths can be scanned. If the storage driver is btrfs, only the default root paths can be scanned, including /var/lib/docker, /var/run/containerd, /var/lib/containers, /var/lib/podman, and /var/lib/isulad.
  • Name constraints: The images or versions whose names contain -- cannot be scanned.
  • To scan the cce-pause/pause image, HSS needs to start the sh/bash process. If the cce-pause/pause container does not have this process, the image scan task will fail. The cce-pause/pause container is a sandbox container. It has only one static compilation process and no vulnerabilities. Therefore, an image scan task failure does not affect services.

Local Image Security Scan Process

Figure 1 Usage process
Table 2 Process description

Operation

Description

Scanning Local Images

After the HSS agent is installed on a cluster node, the agent immediately starts synchronizing local image information to the HSS console. The information is updated every 24 hours.

After the local image information is displayed, you can manually scan the images.

Viewing and Handling Local Image Scan Results

View the local image scan results, and fix insecure images and risks, so that they will not harm the production environment.
Parent Topic: Local Image Security Scan