Document:Prisma Cloud Compute Edition Administrator’s Guide

IBM Cloud Container Registry

Download PDF

Filter

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Disk capacity
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

IBM Cloud Container Registry

Scan IBM Cloud Container Registry.

Scan images in IBM Cloud Container Registry

To scan a repository on IBM Cloud Container Registry, create a new registry scan setting.

Prerequisites:
You have installed a Defender somewhere in your environment.

Open Console

Set up credentials so that Prisma Cloud can access the images in your registry.

Go to Manage > Authentication > Credentials Store
.

Click Add credential
.

Enter a name.

In Type
, select IBM Cloud
.

In Account GUID
, enter the GUID for your IBM Cloud account. See the IBM Cloud Docs to learn how to get the GUID of an account

In API Key
, enter your API key. See the IBM Cloud Docs to learn how to create a service ID for Prisma Cloud, and then create an API key for the service ID.

Click Save
.

Go to Defend > Vulnerabilities > Images > Registry settings
.

Click Add registry
.

In the dialog, enter the following information:

From the Version
drop-down list, select IBM Cloud Container Registry
.

In Registry
, enter the registry address for your region.

For example, if you use the us-south registry, enter registry.ng.bluemix.net
.

In Namespace
, enter the namespace for your image.

For images in private registries, this field is mandatory. For images in IBM’s public registry, leave this field blank. Wildcards are not supported for this field.

IBM provides namespaces to help you organize your registries. Namespaces are appended to the registry URL as follows: registry.<REGION>.bluemix.net/<NAMESPACE>

In Repository name
, specify the repository to scan.

If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all repositories in the registry.

If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all repositories that start with the partial string.

If you specify an exact match, Prisma Cloud scans just the specified repository.

In Tag
, enter an image tag.

If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all images in the repository.

If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all images that match the partial tag.

If you specify an exact match, Prisma Cloud scans just the specified image with specified tag.

In Credential
, select the credential you just created.

In OS type
, specify whether the repo holds Linux
or Windows
images.

In Scanners scope
, specify the collections of defenders to use for the scan.

Console selects the available Defenders from the scope to execute the scan job according to the Number of scanners
setting. For more information, see deployment patterns.

In Number of scanners
, enter the number of Defenders across which scan jobs can be distributed.

Cap
the number of images to scan.

Specify the maximum number of images to scan in the given repository, sorted according to last modified date. To scan all images in a repository, set Cap
to 0. For a complete explanation of Cap
, see the table in registry scan settings.

Click Add
.

Click the Save
button.

Results

Verify that the images in the repository are being scanned.

Go to Monitor > Vulnerabilities > Images > Registries
.

A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, its findings are added to the results table.

To get details about the vulnerabilities in an image, click on it.

To force a specific repository to be scanned again, select Scan
from the top right of the results table, then click on the specific registry to rescan.

Document:Prisma Cloud Compute Edition Administrator’s Guide

IBM Cloud Container Registry

Table of Contents

IBM Cloud Container Registry

Scan images in IBM Cloud Container Registry

Results

Most Popular