tencent cloud

Tencent Container Security Service

Release Notes
Product Introduction
Overview
Strengths
Use Cases
Features and Versions
Purchase Guide
Applying for Trial
Purchasing Pro Edition
Purchasing Image Scan
Purchasing Log Analysis
Getting Started
Operation Guide
Security Overview
Asset Management
Vulnerability Detection
Image Risk Management
Cluster Risk Management
Baseline Management
Runtime Security
Advanced Defense
Policy Management
Protection Switch
Alarm Settings
Log Analysis
Hybrid Cloud Installation Guide
Compromised Container Isolation
Log Field Data Parsing
Practical Tutorial
Mirror Vulnerability Scanning and Vulnerability Management
Troubleshooting
Offline Linux Client
Troubleshooting for Cluster Access
API Documentation
History
Introduction
API Category
Making API Requests
Network Security APIs
Cluster Security APIs
Security Compliance APIs
Runtime security - High-risk syscalls
Runtime Security - Reverse Shell APIs
Runtime Security APIs
Alert Settings APIs
Advanced prevention - K8s API abnormal requests
Asset Management APIs
Security Operations - Log Analysis APIs
Runtime Security - Trojan Call APIs
Runtime Security - Container Escape APIs
Image Security APIs
Billing APIs
Data Types
Error Codes
FAQs
TCSS Policy
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationTencent Container Security ServiceOperation GuideImage Risk ManagementOverview

Overview

PDF
Focus Mode
Font Size
Last updated: 2024-01-23 15:44:44
Image security quickly checks local images and repository images for vulnerabilities, trojans, viruses, sensitive data, and more.

Image security risks

An image is a static representation of a container, and its security determines the security of container runtime.
Image security risks originate from the creation process, acquisition source, and acquisition means. An image may be risky in the following cases:
The image contains vulnerabilities or is embedded with malicious scripts, which means that the generated container may contain vulnerabilities or be maliciously exploited.
Note:
For example, an attacker constructs a special compressed image file and triggers the vulnerability during compilation to get the permission to execute arbitrary code.
If USER is not specified in the image, the container created from the image will be run by the root user by default. When the container is attacked, the access of the root user to the host may be compromised.
Data may be leaked if the image file storing fixed passwords or other sensitive data is published.
The attack surface will be expanded if unnecessary applications such as SSH and Telnet are added when the image is written.

Repository image security risks

As a tool to set up private image repositories, an image repository is mainly subject to security risks from itself and transfer security risks during image pull.
Repository security: If an image repository, especially a private one, is controlled by a malicious attacker, all its images will be at risk.
Note:
For example, if port 2357 is opened due to improper configuration in a private image repository, the repository will be exposed to the public network, which means that attackers can directly access it and tamper with its content, causing security risks.
Image pull security: Image security also concerns the container image integrity from the image repository to the user end.
Note:
For example, if a user pulls an image in plaintext, the interaction with the image repository will be vulnerable to man-in-the-middle attacks. In this case, the pulled image will be tampered with during transfer, or a malicious image with the same name will be released, causing security risks to the image repository and user.
Previous Topic: Exploit PreventionNext Topic: Local Image

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback