1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Registry scanning
    7. Scan images on Artifactory Docker Registry
    End-of-Life (EoL)

    Scan images on Artifactory Docker Registry

    Artifactory is a service for hosting and distributing container images. Artifactory lets you segment the service by repository key, so that you can allocate dedicated registries per project, team, or any other facet. Repositories can be accessed with the Docker client. A repository is a collection of related images, versioned by tag.
    Artifactory lets you configure how images in the repository are accessed with a setting called the Docker Access Method. Prisma Cloud supports the subdomain method and the repository method. The port method is not supported.
    In the subdomain model, the repository is accessed through a reverse proxy. Each Docker repository is individually addressed by a unique value, known as the repository key, positioned in subdomain of the registry’s URL.
    $ docker {pull|push} <REPOSITORY_KEY>.art.example.com/<IMAGE>:<TAG>
    In the repository path model, each repository can be directly addressed. The repository key is part of the path to the image repo.
    $ docker {pull|push} art.example.com:443/<REPOSITORY_KEY>/<IMAGE>:<TAG>
    Artifactory recommends that the subdomain method be used for production environments. The repository model is suitable for small test setups and proof of concepts.

    Configuring Prisma Cloud to scan images in your registry

    To scan images in a JFrog Artifactory Docker registry, create a new registry scan setting. You have a couple of options for setting up your scan.
    1) Prisma Cloud can autodiscover and scan all images in all repos across the Artifactory service for versions of Artifactory greater than or equal to 6.2.0. In the registry scan settings, set the version to
    JFrog Artifactory
     and set the registry address to your reverse proxy.
    2) Scan all repositories under a registry key. Registry keys effectively subdivide the Artifactory service into stand-alone fully-compliant Docker v2 registries. In the registry scan settings, set the version to
    Docker Registry v2
    , and set the registry address to the full path to the "sub-registry". For example: https://<REPOSITORY_KEY>.example.com/.
    Prerequisites:
     You have installed a Defender somewhere in your environment.

    Grant Prisma Cloud access to your repo

    To scan Artifactory registries, Prisma Cloud requires a privileged service account.
    1. Log in Prisma Cloud Console, then go to
      Manage > Authentication > Credentials Store
      .
    2. Click
      Add credential
      .
    3. Enter a credential name, such as
      JFrog Artifactory
      .
    4. In
      Type
      , select
      Basic authentication
      .
    5. In
      Username
      , enter a username.
    6. In
      Password
      , enter a password.
    7. Click
      Save
      .

    Configure the scan

    After you set up your credentials, create a new registry scan setting.
    1. Open Console, then go to
      Defend > Vulnerabilities > Registry
      .
    2. Click
      Add registry
      .
    3. In the dialog, enter the following information:
      1. From the
        Version
         drop-down list, select one of:
        • JFrog Artifactory
           — Autodiscover and scan all images in all repos across the Artifactory service.
        • Docker Registry v2
           — Scan all images in all repos under a specific repository key.
      2. In
        Registry
        , specify the address to scan.
        • If you selected
          JFrog Artifactory
          , enter the FQDN of the reverse proxy.
        • If you selected
          Docker Registry v2
          , enter the FQDN, including subdomain, of the sub-registry.
      3. In
        Repository
        , specify the repository to scan.
        If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all repositories in the registry.
        If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all repositories that start with the partial string.
        If you specify an exact match, Prisma Cloud scans just the specified repository.
      4. In
        Repository types
        , select the repository types that Prisma Cloud should scan.
        This setting is available only when
        Version
         is set to
        JFrog Artifactory
        . Specify at least one registry type (local, remote, virtual).
      5. Do the same with the
        Tag
         field.
      6. In
        Credential
        , select the JFrog Artifactory credentials you created.
      7. In
        OS type
        , specify whether the repo holds
        Linux
         or
        Windows
         images.
      8. In
        Scanners scope
        , specify the collections of defenders to use for the scan.
        Console selects the available Defenders from the scope to execute the scan job according to the
        Number of scanners
         setting. For more information, see deployment patterns.
      9. In
        Number of scanners
        , enter the number of Defenders across which scan jobs can be distributed.
      10. Cap
         the number of images to scan.
        Cap
         specifies the maximum number of images to scan in the given repository, sorted according to last modified date. To scan all images in a repository, set
        Cap
         to 0. For a complete explanation of
        Cap
        , see the table in registry scan settings.
      11. Click
        Add
        .
    4. Click the
      Save
       button.

    Results

    Verify that the images in the repository are being scanned.
    1. Go to
      Monitor > Vulnerabilities > Images > Registries
      .
      A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, its findings are added to the results table.
    2. To get details about the vulnerabilities in an image, click on it.
      To force a specific repository to be scanned again, select
      Scan
       from the top right of the results table, then click on the specific registry to rescan.

    Troubleshooting

    If Artifactory is deployed as an insecure registry, Defender cannot pull images for scanning without first configuring an exception in the Docker daemon configuration. Specify the URL of the insecure registry on the machine where the registry scanning Defender runs, then restart the Docker service. For more information, see the Docker documentation.

    Recommended For You