Tencent Container Registry (TCR) Enterprise Edition supports security scanning of hosted container images, generating scan reports, exposing potential security vulnerabilities within container images, and providing remediation suggestions. Container image security is a crucial aspect of cloud-native application delivery. Timely security scanning of uploaded container images and blocking application deployment based on scan results can effectively reduce vulnerability risks in production environments.
The image security scanning feature is a built-in feature of image repositories. You can actively trigger the security scanning of the container image of the specified version after uploading the container image. Also, you can configure automatic scanning at the namespace level, so that newly pushed images in the namespace will be scanned automatically after upload. The current image security scanning service is based on the open-source Clair solution, and the relevant vulnerability information is from the official CVE vulnerability library and synchronized on a regular basis.
Preparations
Make sure that the following conditions are met before using the image security scanning feature,:
If you are using a sub-account, the sub-account must have obtained operation permissions on the corresponding instance. For more information, see TCR Enterprise Authorization Management.
Instructions
Configuring the scanning policy
1. Log in to the TCR console and click Namespace in the left sidebar.
2. On the Namespace page, click the name of the instance for which you want to enable the image security scanning feature to go to the namespace details page.
3. On the Basic Information page, set the security scanning configuration to Automatic Scanning.
Manually triggering scanning
Step 1: Preparing a container image
Refer to Basic Image Repository Operations to upload a container image and view the image on the version management page of the corresponding image repository.
Step 2: Trigger image scanning
Select the specified image version within the image repository and click Scan to trigger the image scan. The security level will then display as "Scanning".
Note:
The image scanning feature is only available for images with the artifact type DockerImage; other artifact types are not currently supported for image scanning.
Step 3: Viewing the scanning results
After the security scanning is complete, the highest level and the number of vulnerabilities in the current image are displayed in the security level section. You can view the vulnerability details, as shown in the figure below:
When viewing the details of vulnerabilities, you can click a specific vulnerability ID to redirect to the details of the vulnerability so that you can assess its actual impact on business, as shown in the figure below:
Step 4: Re-triggering scanning
As the vulnerability library is updated regularly, you can refer to Step 2: Trigger image scanning to re-trigger the security scanning of the specified image and obtain the latest scanning results.
