Recently, high-risk vulnerabilities such as Spring vulnerabilities have occurred frequently. In order to help users better discover and reduce security risks in images and reduce potential security risks in the production environment, April 1, 2022 00:00 - April 15, 2022 24:00 During the 00 period, Alibaba Cloud Container Image Service Enterprise Edition (ACR EE) supports a free trial experience of the cloud security scanning engine. Supports 10,000 scan quotas for different image versions (differentiated by image Digest, and the same Digest has unlimited scans). If your current Enterprise Edition instance is not enabled by default, you can submit a ticket (address: https://selfservice.console.aliyun.com/ticket/category/acr/recommend/1230 ) to apply. The scanning engine is provided by ACR EE and Cloud Security in-depth cooperation. It fully supports scanning system vulnerabilities, application vulnerabilities, baseline checks, and malicious samples in container images, providing continuous risk discovery capabilities and automatic repair capabilities.
The importance of container security
As the cloud adoption rate of enterprises continues to increase, more and more enterprises choose to use the container architecture in the production environment. Based on a report released by CNCF in 2020 [1], the proportion of enterprises using containers in production will increase from 84% last year to 92% in 2021. Gartner predicts[2] that 95% of enterprises will be based on cloud-native platforms by 2025. According to iResearch's "China Container Cloud Market Research Report", 84.7%[3] (43.9% have used and 40.8% plan to use) of Chinese enterprises have used or planned to use containers in 2020. Similarly, the endogenous security of software development will become an important indicator for evaluating the maturity level of enterprise DevOps. Among the teams practicing DevOps, 48%[4] value Security features the most.
However, due to the agile elasticity, high-density deployment, and open reuse of container applications, users have greater security concerns while enjoying the benefits of cloud native. Tripwire conducted a survey of 311 IT security professionals in 2019 and found that 60% of organizations have experienced container security incidents [5], whether it is the intrusion of Kubernetes clusters or the frequent explosion of images containing vulnerabilities and malicious programs in Docker Hub, which makes it difficult More and more enterprises are starting to focus on best practices for container security.
Alibaba Cloud Container Image Service Enterprise Edition
Alibaba Cloud Container Image Service Enterprise Edition (ACR EE for short) is an enterprise-level cloud-native application product management platform that provides safe hosting and efficient distribution of OCI products such as container images and Helm Charts. In the DevSecOps scenario, enterprise customers can use the ACR cloud-native application delivery chain to achieve efficient and secure cloud-native application delivery and accelerate the innovation iteration of enterprises. In the scenarios of global multi-regional collaboration, business going overseas, and GoChina, enterprise customers can use the global synchronization capability, and at the same time combine the global unified domain name to achieve nearby pull, improving the efficiency of distribution, operation and maintenance. In large-scale distribution and AI large image training and reasoning scenarios, enterprises can use ACR P2P distribution or on-demand distribution capabilities to further improve deployment iteration efficiency. View details: https://www.aliyun.com/product/acr
What is an enhanced scan engine?
The enhanced scanning engine is provided by ACR EE and the Cloud Security Center in-depth cooperation. Compared with the current popular open source scanning engine versions (Clair, etc.), the scanning capability provides more accurate vulnerability screening capabilities (all vulnerabilities are safely operated by professional teams, ensure validity and substantially reduce false positives). At the same time, ACR EE provides the capability of batch scanning and automatic scanning , supports the scanning scope of namespaces and warehouses with different granularities, and can provide automatic and large-scale scanning support for different scenarios. In addition, ACR EE provides event notification capabilities to support integration with customers' existing DevOps processes.
The scan risk types currently supported by the scan engine are as follows:
• System Vulnerabilities: Supports vulnerability identification of common mainstream operating systems, and supports one-click repair . For example, Linux kernel vulnerabilities, insecure system software packages, insecure Java SDK, etc.
• Application Vulnerability: Provides the image application vulnerability scanning function to scan for vulnerabilities in container-related middleware, and supports the detection of system service weak passwords, system service vulnerabilities, and application service vulnerabilities. For example, fastjson remote code execution vulnerability, Apache Log4j2 remote code execution vulnerability, Spring Framework remote code execution vulnerability, Apache Hadoop information disclosure vulnerability, Apache Tomcat information disclosure vulnerability, etc.
• Baseline check: Provides the image security baseline check function, scans the baseline security risks in container assets for you, supports weak passwords, account permissions, identity authentication, password policies, Security configurations such as access control, security auditing, and intrusion prevention are provided, and detection results are provided, as well as reinforcement recommendations for existing risk configurations. For example, Access Key leakage, unauthorized access, service configuration, etc.
• Malicious samples: Provides the detection capability of container malicious samples, displays container security threats in assets, helps you find the location of malicious samples, and facilitates you to repair malicious samples according to the location, greatly reducing the security risk of using containers. For example, the discovery of backdoor (Webshell) files, self-mutating Trojans, backdoor programs, etc.
How do I enable the Enhanced Scan Engine?
- On the instance management page of the Enterprise Edition, select Security and Trust > Image Scanning , and click the switch button in the upper right corner to switch the scan engine to the cloud security scan engine. As shown below:
- Create scan rules on the image scan page. Currently, automatic scanning of namespace and warehouse-level scan rules is supported. You can also choose to manually trigger the scan to identify all risks of the stock images under the rule scope. It is recommended that you configure scan event notification and synchronize the scan results in DingTalk, HTTP or HTTPS after the mirror scan is complete.
- After creating a scan rule, click Scan Now to view the scan task status and final risk status.
- Click to view the details to confirm the security risks of container images from multiple dimensions of system vulnerabilities, application vulnerabilities, baseline checks, and malicious samples. As shown in the figure below, it can be seen that the recent Spring and other high-risk vulnerabilities contained in the image have been analyzed and identified.
- At the same time, the configured DingTalk robot also receives the corresponding notification alarm (also supports HTTP/HTTPS and other methods for notification).
Cloud-native application delivery chain helps enterprises realize DevSecOps
In addition to supporting in-depth risk identification and repair of container images, ACR EE also provides cloud-native application delivery chain capabilities, and supports flexible security policies to ensure safer and more efficient delivery of products online. At the same time, various links in the cloud-native application delivery chain can also be integrated and used by your CI/CD process (such as Jenkins Pipeline, GitLab Runner, etc.).
1. Upgrade the instance specification of the enterprise version to the advanced version. On the instance overview page, click Cloud Native Delivery Chain > Delivery Chain, and click Create Delivery Chain. On the security scan node, when a high-risk vulnerability occurs, block the subsequent delivery of the container image, and optionally delete the original risky image or backup. 
2. Within the scope of the delivery chain, a container image with high risk is automatically pushed, which will automatically trigger a security scan and execute security policies to block the deployment of risky images. 
- If the image has system vulnerabilities, one-click repair can be performed after the delivery chain is blocked
• Delivery chain blocked 
• Check all risk items and click one-click repair
• Wait for the image repair to complete. After the default repair is completed, a new image with a tag ending in _fixed will be built and the execution of the delivery chain will be re-triggered
• It can be observed that the repaired image has no previous vulnerabilities after security scanning, and the delivery chain has been successfully completed. At the same time, the risk status comparison between the original image and the repaired image can also be seen on the image version page. 
appendix
[1]Cloud Native Survey 2020
https://www.cncf.io/blog/2020/11/17/cloud-native
[2] Gartner: Cloud will be at the heart of new digital experiences
https://www.gartner.com/cn/newsroom/press-releases/cloud-will-be-the-centerpiece-of-new-digital-experiences
[3] 2020 China Container Cloud Market Research Report - iResearch Cloud Native Series Report (1)
https://www.iresearch.com.cn/Detail/report?id=3701&isfree=0
[4] Research on DevOps Application Development in China in 2020 - iResearch Cloud Native Series Report (2)
https://www.iresearch.com.cn/Detail/report?id=3702&isfree=0
[5] 60% of Organizations Suffered a Container Security Incident in 2018, Finds Study
https://www.tripwire.com/state-of-security/devops/organizations-container-security-incident/
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。