The page has been translated by Gen AI.

Managing Image Security Vulnerabilities

By using the image security vulnerability inspection feature, you can manually or automatically check the OS package security vulnerabilities of images stored in the Container Registry and the Secrets included in the image. Users can identify and remove known vulnerabilities (CVE) and Secrets based on the inspection results to prevent the use of unsafe images.

Vulnerability Inspection Support Information

Supported OS

  • Vulnerability inspection function supports checking libraries installed via package manager on the following OS.
Supported OS
Ubuntu
Cent OS
Oracle
Debian
Alpine
AWS Linux
RHEL
Suse
VMWare Photon
Table. Supported OS Types

Support Language

  • The vulnerability inspection feature supports checks for the following Language.
Support Language
Python
PHP
Node.js
.NET
Go
Dart
Table. Supported Language Types I (Libraries installed with the Language package manager)
Support Language
Java
Table. Supported Language Types II (libraries identified based on pom.properties and MANIFEST.MF files included in jar, war, par, ear type files)

Support Secret

  • Vulnerability assessment feature supports the following types of Secrets included in the image.
Support Secret
AWS access key
GitHub personal access token
GitLab personal access token
Asymmetric Private Key
Table. Supported Secret Types

Check Image Security Vulnerabilities (Manual)

To check image security vulnerabilities, follow the steps below.

  1. All Services > Container > Container Registry Click the menu. Navigate to the Service Home page of Container Registry.
  2. Click the Image menu on the Service Home page. Navigate to the Image list page.
  3. Image list Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image stored for checking detailed information is located.
  4. Image List page, click the resource (Image) to check security vulnerabilities. Image Details page will be opened.
  • Image Detail Click the Tags tab to the right of the detailed information tab at the top of the page. You will be taken to the Tags tab page.
  1. Tags On the Tags tab page, click the More button located at the far right of the tag you want to check for security vulnerabilities, then click Vulnerability Check.
  2. When the vulnerability check notification popup opens, click the Confirm button.
    • When the inspection starts, Vulnerability inspection will be conducted. is displayed.
    • When the inspection is finished, the Vulnerability Inspection Results item will display a summary of the inspection results and a View Results button. Clicking the View Results button will open a popup where you can see the detailed analysis results of Vulnerabilities by Image Digest (Tags).
      Reference
      • View Results button, when clicked, shows the detailed analysis results of vulnerabilities for the image tag.
        • If a red exclamation mark icon (!) appears in the inspection date/time field after a vulnerability check, it means the vulnerability check list for the Container Registry service has been updated. Click Vulnerability Check as a new vulnerability item check is required for the image Digest (Tags), so we recommend rechecking.

Check image security vulnerability assessment results

To check the vulnerability assessment results, follow the steps below.

  1. All Services > Container > Container Registry Click the menu. Navigate to the Service Home page of Container Registry.
  2. Click the Image menu on the Service Home page. Navigate to the Image list page.
  3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
  4. On the Image List page, click the resource (Image) to check for security vulnerabilities. You will be taken to the Image Details page.
  • Image Detail Click the Tags tab on the right side of the detailed information tab at the top of the page. It will navigate to the Tags tab page.
  1. Tags on the tab page, click the View Results button of the Vulnerability Assessment Results item of the tag to check the vulnerability assessment results.
  2. Vulnerabilities by Image Tags Check the results in the popup window where you can view the detailed analysis results.

Check inspection results by vulnerability unit

Image Tag-specific Vulnerabilities detail page’s Vulnerabilities tab allows you to view image security vulnerability assessment results by vulnerability.

ItemDetailed description
Vulnerability CheckVulnerability Check button
  • Clicking the button starts the vulnerability check
  • However, if the tag status is Inactive, Vulnerability Check button is not activated
Inspection Date/TimeVulnerability Inspection Date/Time
DistributionOS name and version of the image Digest (Tags) under inspection
  • Refer to the supported OS list
Total number of vulnerabilitiesVulnerability assessment summary
  • The total number of detected vulnerabilities and the count by severity are displayed as a graph
  • Vulnerabilities are classified into six levels by severity (Critical, High, Medium, Low, Negligible, Unknown)
Table. Summary of Vulnerability Inspection Results

Vulnerability tab allows you to view the list of all discovered vulnerabilities.

ItemDetailed description
CVEExternal link to verify the detected vulnerability ID (CVE ID) and detailed information about the vulnerability
  • CVE (Common Vulnerabilities and Exposures)
SeveritySeverity of detected vulnerability
CVSSCVSS (Common Vulnerability Scoring System) based vulnerability score
CategoryInspection target type of detected vulnerabilities
  • OS package or Language package is displayed
OS/LanguageOS or Language package type of detected vulnerability
  • Refer to the list of supported OSes and supported Languages
PackageName of package with discovered vulnerability
Current versionCurrent version of the package where vulnerability was found (vulnerable version)
Fixed versionVersion where the vulnerability of the discovered package has been addressed
Modification statusExistence of a version with the vulnerability fixed for the package where the vulnerability was discovered (existence of a vulnerability patch version)
Expand buttonView vulnerability detailed information
  • Expand button click displays detailed information about the vulnerability at the bottom
  • You can view the Description and Vectors results for the vulnerability. Detailed explanations for each Vector value are provided as tooltips
  • The detailed information opened with the Expand button can be closed by clicking the Collapse button
Table. Vulnerability List Item

Check inspection results by package unit

Image Tag Vulnerabilities detailed page, when you click the Package tab, you are taken to the package-specific vulnerability page. In the Package tab, you can view the image security vulnerability check results by package.

ItemDetailed Description
Vulnerability CheckVulnerability Check button
  • Clicking the button starts the vulnerability check
  • However, if the tag status is Inactive, Vulnerability Check button is not activated
Inspection Date/TimeVulnerability Inspection Date/Time
DistributionOS name and version of the image Digest (Tags) to be inspected
  • Refer to the supported OS list
Total package countSummary of total package information
  • The total number of discovered packages and the number of packages based on vulnerability presence are displayed as a graph.
Table. Summary items of package vulnerability inspection results

Package tab allows you to view the full package list, as well as the list of packages with discovered vulnerabilities and the list of packages without discovered vulnerabilities.

ItemDetailed description
CategoryType of discovered package
  • Display OS package or Language package
OS/LanguageDetailed OS or Language type of the discovered package
  • Refer to the list of supported OS and supported Language
PackageDetected package name
VersionCurrent version of the package
Vulnerability Inspection ResultSummary Information of Number of Vulnerabilities Contained in Package
TypeOS or Language type and details of the discovered package
Table. Package List Items

Check results by secret unit

Image Tag Vulnerabilities on the detail page, click the Secret tab to go to the secret-specific vulnerability page. You can view the image security vulnerability scan results by secret.

ItemDetailed description
Vulnerability CheckVulnerability Check button
  • Click the button to start vulnerability check
  • However, if the tag status is Inactive, the Vulnerability Check button will not be activated
Inspection date/timeVulnerability inspection date/time
DistributionOS name and version of the target image Digest (Tags)
  • Refer to the supported OS list
Total number of vulnerabilitiesVulnerability result summary
  • The total number of detected vulnerabilities and the number of vulnerabilities by severity are displayed as a graph
  • Vulnerabilities are classified into six levels by severity (Critical, High, Medium, Low, Negligible, Unknown)
Table. Summary of secret vulnerability inspection results

In the Secret tab, you can view the full list of secret files, as well as the lists of files with discovered vulnerabilities and files without discovered vulnerabilities.

ItemDetailed description
FileFile name of detected secret
CategoryDetected secret type
  • Refer to the supported secret list
SeverityDetected secret severity
MatchSecret match information in detected file
Table. Secret list items
Image and Tag Management
Managing Image Tag Deletion Policies