Scan Image¶
An image downloaded can be used directly, which provides convenience to users. However, downloaded images may not be safe and may contain backdoors that can be maliciously implanted. Therefore, it is essential to scan downloaded images for obtaining security information.
In a DevOps CI/CD process, pushing an image directly to the Container Registry cannot guarantee its security. Thus, continuous security integration and automatic scanning are necessary.
Security scanning is an active preventive measure that can effectively avoid hacker attacks and prevent problems before they occur. It is recommended to regularly or manually scan images.
After entering the production environment, the container must meet high-security standards, and security must be ensured. Therefore, it is necessary to scan the image for security improvement before running the container.
The final scan results should provide more guidance on corrective actions. When users receive news that a container image has a vulnerability, they need to identify the issue's source and fix it themselves.
Image Scan Features¶
DCE 5.0 Container Registry module supports the following image scanning:
- Managed Harbor registries support Trivy scanning.
- Native Harbor registries support Clair and Trivy scanning, depending on what plugins the user has installed.
When the user scans the image index, all indexed images will be scanned synchronously, and the scan result is the sum of the indexed images' scan results.
Manually Scan Images¶
For integrated registries, images appear on the list. You can manually scan images on demand.
-
Go to the registry space, enter the image list, select an instance and registry space, and click an image.
-
In the image details list, click ┇ on the right side of the list, and select Scan from the pop-up menu.
-
The system starts to scan the image, usually displaying the status
Queued
,Scanning
, orComplete
.Scan status includes:
- Not Scanned: The image has never been scanned.
- Not Supported: This image does not support scanning.
- Queued: The scan task is scheduled but not yet run.
- Scanning: The scanning task is in progress, and a progress bar is displayed.
- View log: The scan task failed to complete. Click View Logs to view the related logs.
- Complete: The scan task completed successfully.
-
After the scan is complete, hover the cursor over the scale bar of the scan to view the scan details.
Scan Native Harbor Images¶
Integrated native Harbor registries support scanning by Clair or Trivy.
The specific steps are:
-
Log in to the Container Registry as a platform administrator and click Integrated Registry at the bottom left.
-
In the list of integrated registry, hover the cursor over a certain registry and click the Go to Native Harbor Registry icon.
-
Jump to the native Harbor; see Scanning Harbor images.