Vulnerability scanning of Registries

Vulnerability scanning of: Docker Images | Docker Containers | Docker Hosts | Registry

Registry images are scanned to check the presence of any vulnerabilities by the Qualys container sensor. You can scan public and private registries for vulnerable images.

We support scanning the following registries:

Public registries: Docker Hub, AWS ECR, GCR, ACR (Azure), Google Artifact Registry

Private registries: v2-private registry  

- Docker Trusted Registry (DTR)

- Docker Private Registry: insecure (http), secure (auth + https).

- jfrog-artifactory

Note: Using http requires customers to manually configure their docker-engine for the registry. Qualys does not recommend using http and it's intended more for testing in dev environments.

For instrumentation support, see Container Runtime Security.

Steps for Adding Registry and Scanning

As a prerequisite you must install the registry sensor on a docker host which has access to the registry to pull images to scan.

Docker host configuration

Docker version - 1.12 or later.

Disk space on docker host - Minimum 20 GB of free space on the partition where docker is installed. This is required to scan registry images. Additionally, 1 GB of free space is required for persistent storage.

Connectivity - Docker host should have connectivity to the Registry to be scanned.

To validate connectivity, perform a successful docker login from the host to the Registry.

docker login <registryurl> (No protocol)

For Example,

docker login myregistry.com:5001

To download the sensor, simply go to Configurations > Sensors, and click Download Sensor. Then click Registry.

You need to append --registry-sensor or -r to the sensor install command to install the sensor for registry scan.

Download the registry sensor.

You need to add a registry in order to scan it for vulnerabilities. Go to Assets > Registries, and click New Registry.

Ensure that registry sensor deployed on the docker host is in running state.

Create a new registry.

In order to perform vulnerability analysis you need to connect to the registries using credentials. You need different types of credentials to connect to different registries. Credential types supported are Token, BasicAuth, DockerHub, AWS.

Registry creation options.

For AWS ECR, you can create a connector to connect to your AWS account.

Connector details to connect to AWS.

For GCR, you can create a GCR connector to connect to your GCP account.


 Connector details to connect to GCP.

For GCAR (Google Artifact Registry), you can create a connector to connect to your GCP account. The steps are similar to GCR except there's one additional step for providing Artifact Registry permissions.

Connector details to connect to GCP for GCAR.

For ACR (Azure), you can create a connector to connect to your Azure account.

Connector details to connect to Azure.

Make Scan Settings

Scan Type - You can choose to scan immediately (On Demand) or on an on-going basis (Automatic). On Demand scan allows you to scan repositories as well as specific images within those repositories. With Automatic scan, you can scan entire repositories at a set time every day.

Repository - You must provide the full repository path up till the last sub-directory containing the images you want to scan (except for GCR, GCAR, see below).

Tip: The following command helps you to get a list of full repository names that are part of a registry.

curl -u <username>:<password>https://<registry-url>/v2/_catalog

For GCR, the repository name should not include location information since you already provided the location under registry information. For example, the repository name should be: project-Id/repository-name

For GCAR, only the repository name is needed. We'll auto populate the full path.

Cancel - Cancel an ongoing scan by editing the registry and selecting Cancel from the Quick Actions menu of a scan job. You cannot cancel scan jobs in Error or Finished state.

Rescan - Use the Rescan option to restart an On Demand scan. You cannot restart scan jobs in Queued or Running state.

Scan settings: OnDemand or Scheduled.

Once you connect to the registry, Container Security pulls the inventory data and performs vulnerability scans on repositories and images within the registries.

Vulnerable images are listed on the Images tab.

To get the total count of vulnerable images in a registry, go to Registries tab, and click View Details in the Quick Actions Menu of a registry.

list of vulnerable images found in the registry.