Local Image Security Scan Overview
What Is a Local Image Security Scan?
Local images are stored or running on your container hosts. If they come from user-built repositories without security assurance, or be uploaded by developers without strict security review, they may have vulnerabilities or other risks that harm the production environment.
Local image security scan scans local images to detect security risks such as system vulnerabilities and application vulnerabilities and provides rectification suggestions, helping users reduce risks caused by non-compliant or invalid images.
Local Image Security Scan Principles
HSS embeds scan tools in images to access and parse their file systems, and to perform comprehensive security checks on files and directories. After the check is complete, all check results are summarized and reported to the management console.
Local Image Security Scan Items
The image security scan items are listed in Table 1.
Scan Item |
Description |
---|---|
Vulnerabilities |
System and application vulnerabilities in images.
|
Software Information |
Software information in an image. |
Scenarios
You can scan images in the production environment when your company or organizations deploy containerized applications.
Constraints
- Edition requirement: Only the HSS container edition supports local image security scan. You can scan images for an unlimited number of times. For details about how to purchase and upgrade an HSS edition, see Purchasing an HSS Quota and Upgrading Protection Quotas.
- Supported runtime: Only local Linux images in Docker and Containerd can be scanned.
- Storage drive requirements:
- Docker: Only the image storage nodes using overlay and overlay2 can be scanned.
- Containerd: Only the image storage nodes using OverlayFS can be scanned.
- Image storage path constraints:
- Containerd: All local file system paths can be scanned.
- Docker: By default, only the /var/lib directory is scanned. If the Docker root directory is not under this path, HSS cannot scan images. You are advised to perform image scans on Containerd servers.
- Name constraints: The images or versions whose names contain -- cannot be scanned.
- To scan the cce-pause/pause image, HSS needs to start the sh/bash process. If the cce-pause/pause container does not have this process, the image scan task will fail. The cce-pause/pause container is a sandbox container. It has only one static compilation process and no vulnerabilities. Therefore, an image scan task failure does not affect services.
Local Image Security Scan Process

Operation |
Description |
---|---|
After the HSS agent is installed on a cluster node, the agent immediately starts synchronizing local image information to the HSS console. The information is updated every 24 hours. After the local image information is displayed, you can manually scan the images. |
|
View the local image scan results, and fix insecure images and risks, so that they will not harm the production environment. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot