Configure registry scans

Prisma Cloud can scan container images in both public and private repositories on both public and private registries.
The registry is a system for storing and distributing container images. The most well-known public registry is Docker Hub, although there are also registries from Amazon, Google, and others. Organizations can also set up their own internal private registries. Prisma Cloud can scan container images on all of these types of registries.
After repository scanning is configured, Prisma Cloud automatically scans images for vulnerabilities. Periodic scans are run at an interval specified in
Configure > System > Scan
(by default, once every 24 hours).

Deployment patterns

Registry scanning is handled by Defenders. When you configure Prisma Cloud to scan a registry, you can select the scope of defenders that will be used for performing the scan job.
Any Container Defender running on a host with the Docker Engine container runtime or container runtime interface (CRI) can scan a registry, and any number of them can simultaneously operate as registry scanners. This gives you a lot of options when you’re trying to determine how to cover disparate environments.
Select a collection of defenders defined by hostnames or AWS tags, and the scan job will be distributed between them according to the "Number of scanners" setting. When selecting the "All" collection, you let Prisma Cloud automatically distribute the scan job across all available Defenders.
In general, you should configure Prisma Cloud with a large scope of defenders, because it reduces operational complexity and improves resiliency. At scan-time, Prisma Cloud enumerates the available Defenders according to your scope, manages the resource pool, and handles issues such as restarting partially completed jobs. If you explicitly select one or two defenders to handle scanning, the hosts where these Defenders run are a single point of failure. If the host fails, or gets destroyed, you have to reconfigure your scan settings with different Defenders.
Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and Linux Defenders can only scan Linux images.
If you remove an image from the registry, or the registry becomes unavailable, Prisma Cloud maintains the scan results according to your setup under
Manage > System > Scan > Registry scan results
. After the specified number of days, the scan results are purged.

Registry scan settings

Each rule has the following parameters, although the parameters can vary according to registry type. For step-by-step instructions for a registry from a specific vendor, see the appropriate registry-specific guide.
Specify the type of registry to scan.
  • If you do not find your vendor’s registry in the drop-down list, try
    Docker Registry v2
    . Most vendors comply with the Docker Registry version 2 API.
Specify the URL for t