Vulnerability scanning of Registries

Vulnerability scanning of: Docker Images | Docker Containers | Docker Hosts | Registry

Registry images are scanned to check the presence of any vulnerabilities by the Qualys container sensor. You can scan public and private registries for vulnerable images.

We support scanning the following registries:

Public registries: Docker Hub, AWS ECR, GCR, ACR (Azure)

Private registries: v2-private registry  

- Docker Trusted Registry (DTR)

- Docker Private Registry: insecure (http), secure (auth + https).

- jfrog-artifcatory

Note: Using http requires customers to manually configure their docker-engine for the registry. Qualys does not recommend using http and it's intended more for testing in dev environments.

For instrumentation support, see Container Runtime Security.

As a prerequisite you must install the registry sensor on a docker host which has access to the registry to pull images to scan.

Docker host configuration

Docker version - 1.12 or later.

Disk space on docker host - Minimum 20 GB of free space on the partition where docker is installed. This is required to scan registry images. Additionally, 1 GB of free space is required for persistent storage.

Connectivity - Docker host should have connectivity to the Registry to be scanned.

To validate connectivity, perform a successful docker login from the host to the Registry.

docker login <registryurl> (No protocol)

For Example,

docker login myregistry.com:5001

To download the sensor, simply go to Configurations > Sensors, click Download Sensor and then click Registry.

You need to append --registry-sensor or -r to the sensor install command to install the sensor for registry scan.

Download the registry sensor.

You need to add a registry in order to scan it for vulnerabilities. Go to Assets > Registries, and click New Registry.

Ensure that registry sensor deployed on the docker host is in running state.

Create a new registry.

In order to perform vulnerability analysis you need to connect to the registries using credentials. You need different types of credentials to connect to different registries. Credential types supported are Token, BasicAuth, DockerHub, AWS.

Registry creation options.

For AWS ECR, you can create a connector to connect to your AWS account.


Connector details to connect to AWS.

For GCR (Google Container Registry), you can create a connector to connect to your GCP account.


 Connector details to connect to GCP.

For ACR (Azure Container Registry), you can create a connector to connect to your Azure account.

Connector details to connect to Azure.

You can choose to scan immediately (On Demand scan) or on an on-going basis (Automatic scan).

On Demand scan allows you to scan repositories as well as specific images within those repositories. With Automatic scan, you can scan entire repositories at a set time every day.

You can cancel an ongoing scan by editing the registry and then using the Cancel option from the Quick Actions menu of a scan job. You cannot cancel jobs which are in “Error” or “Finished” state.

Use the Rescan option to restart an OnDemand scan. You cannot restart jobs which are in “Queued” or “Running” state.

Note: You must provide the full repository path up till the last sub-directory containing the images you want to scan.

Tip: The following command helps you to get a list of full repository names that are part of a registry.

curl -u <username>:<password> https://<registry-url>/v2/_catalog

For GCR, the repository name should not include the location information as you have already selected the location in the Create New Registry window.

For example, the repository name should be:


Scan settings: OnDemand or Scheduled.

Once you connect to the registry, Container Security pulls the inventory data and performs vulnerability scans on repositories and images within the registries.

Vulnerable images are listed on the Images tab.

To get the total count of vulnerable images in a registry, go to Registries tab, and click View Details in the Quick Actions Menu of a registry.

list of vulnerable images found in the registry.