Adding a new registry to scan

Docker Host Configuration

As a prerequisite you must install the registry sensor on a docker host which has access to the registry to pull images to scan.

Docker version - 1.12 or later.

Disk space on docker host - Minimum 20 GB of free space on the partition where docker is installed. This is required to scan registry images. Additionally, 1 GB of free space is required for persistent storage.

Connectivity - Docker host should have connectivity to the Registry to be scanned.

How to validate connectivity

To validate connectivity, perform a successful docker login from the host to the Registry.

docker login <registryurl> (No protocol)

Example:

docker login myregistry.com:5001

Download and Deploy Registry Sensor

To download the sensor, go to Configurations > Sensors, and click Download Sensor. Then click Registry. For a standalone deployment, choose the host's operating system. For a cluster deployment, pick Cluster and then pick a cloud environment. Follow the installation instructions on the screen.

Registry Sensor

Add Registry Information

You need to add a registry in order to scan it. Go to Assets > Registries, and click New Registry. (Ensure that registry sensor deployed on the docker host is in running state.)

New Registry

To perform vulnerability and compliance scans we need to connect to the registry using credentials. Different types of credentials are needed to connect to different registries. Credential types supported are Token, BasicAuth, DockerHub, AWS.

Registry Information

Click any link below to see steps for connector creation.

AWS ECR Connector

Azure Container Registry Connector

Google Cloud Registry Connector

Google Artifact Registry Connector


Using OpenShift? Use the Docker V2-Private registry type, and provide the OpenShift URL. See the following link to learn how to create a service account and extract the service account token.

OpenShift Registry

Configure Scan Settings

After adding registry information, click Next to continue to Scan Settings. You can choose to scan immediately (On Demand) or on an on-going basis (Automatic). On Demand scan allows you to scan repositories as well as specific images within those repositories. With Automatic scan, you can scan entire repositories at a set time every day.

Scan Settings

Enter the repository to scan

In the Repository field, enter the full repository path up till the last sub-directory containing the images you want to scan (except for Google Cloud Registry and Google Artifact Registry, see Notes below).

Tip: The following command helps you to get a list of full repository names that are part of a registry.

curl -u <username>:<password>https://<registry-url>/v2/_catalog

Notes:

- For Google Cloud Registry, the repository name should not include location information since you already provided the location under registry information. For example, the repository name should be: project-Id/repository-name

- For Google Artifact Registry, only the repository name is needed. We'll auto populate the full path.

How to cancel a scan

Cancel an ongoing scan by editing the registry and selecting Cancel from the Quick Actions menu of a scan job. You cannot cancel scan jobs in Error or Finished state.

How to restart a scan

Use the Rescan option to restart an On Demand scan. You cannot restart scan jobs in Queued or Running state.

What happens next?

Once you connect to the registry, Container Security pulls the inventory data and performs scans on repositories and images within the registries. Vulnerable images are listed on the Assets > Images tab.

To get the total count of vulnerable images in a registry, go to the Assets > Registries tab, and click View Details in the Quick Actions Menu of a registry.