As a prerequisite you must install the registry sensor on a docker host which has access to the registry to pull images to scan.
Docker version - 1.12 or later.
Disk space on docker host - Minimum 20 GB of free space on the partition where docker is installed. This is required to scan registry images. Additionally, 1 GB of free space is required for persistent storage.
Connectivity - Docker host should have connectivity to the Registry to be scanned.
To validate connectivity, perform a successful docker login from the host to the Registry.
docker login <registryurl> (No protocol)
docker login myregistry.com:5001
To download the sensor, go to Configurations > Sensors, and click Download Sensor. Then click Registry. For a standalone deployment, choose the host's operating system. For a cluster deployment, pick Cluster and then pick a cloud environment. Follow the installation instructions on the screen.
You need to add a registry in order to scan it. Go to Assets > Registries, and click New Registry. (Ensure that registry sensor deployed on the docker host is in running state.)
To perform vulnerability and compliance scans we need to connect to the registry using credentials. Different types of credentials are needed to connect to different registries. Credential types supported are Token, BasicAuth, DockerHub, AWS.
Click any link below to see steps for connector creation.
AWS ECR Connector
Azure Container Registry Connector
Google Cloud Registry Connector
Google Artifact Registry Connector
Using OpenShift? Use the Docker V2-Private registry type, and provide the OpenShift URL. See the following link to learn how to create a service account and extract the service account token.
After adding registry information, click Next to continue to Scan Settings. You can choose to scan immediately (On Demand) or on an on-going basis (Automatic). On Demand scan allows you to scan repositories as well as specific images within those repositories. With Automatic scan, you can scan entire repositories at a set time every day.
In the Repository field, enter the full repository path up till the last sub-directory containing the images you want to scan (except for Google Cloud Registry and Google Artifact Registry, see Notes below).
Tip: The following command helps you to get a list of full repository names that are part of a registry.
curl -u <username>:<password>https://<registry-url>/v2/_catalog
- For Google Cloud Registry, the repository name should not include location information since you already provided the location under registry information. For example, the repository name should be: project-Id/repository-name
- For Google Artifact Registry, only the repository name is needed. We'll auto populate the full path.
Cancel an ongoing scan by editing the registry and selecting Cancel from the Quick Actions menu of a scan job. You cannot cancel scan jobs in Error or Finished state.
Use the Rescan option to restart an On Demand scan. You cannot restart scan jobs in Queued or Running state.
Once you connect to the registry, Container Security pulls the inventory data and performs scans on repositories and images within the registries. Vulnerable images are listed on the Assets > Images tab.
To get the total count of vulnerable images in a registry, go to the Assets > Registries tab, and click View Details in the Quick Actions Menu of a registry.