Configure registry scans
Prisma Cloud can scan container images in both public and private repositories on both public and private registries.
The registry is a system for storing and distributing container images. The most well-known public registry is Docker Hub, although there are also registries from Amazon, Google, and others. Organizations can also set up their own internal private registries. Prisma Cloud can scan container images on all of these types of registries.
After repository scanning is configured, Prisma Cloud automatically scans images for vulnerabilities. Periodic scans are run at an interval specified in
Configure > System > Scan(by default, once every 24 hours).
Registry scanning is handled by Defenders. When you configure Prisma Cloud to scan a registry, you can select the scope of defenders that will be used for performing the scan job.
Any Container Defender running on a host with the Docker Engine container runtime or container runtime interface (CRI) can scan a registry, and any number of them can simultaneously operate as registry scanners. This gives you a lot of options when you’re trying to determine how to cover disparate environments.
Select a collection of defenders defined by hostnames or AWS tags, and the scan job will be distributed between them according to the "Number of scanners" setting. When selecting the "All" collection, you let Prisma Cloud automatically distribute the scan job across all available Defenders.
In general, you should configure Prisma Cloud with a large scope of defenders, because it reduces operational complexity and improves resiliency. At scan-time, Prisma Cloud enumerates the available Defenders according to your scope, manages the resource pool, and handles issues such as restarting partially completed jobs. If you explicitly select one or two defenders to handle scanning, the hosts where these Defenders run are a single point of failure. If the host fails, or gets destroyed, you have to reconfigure your scan settings with different Defenders.
Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and Linux Defenders can only scan Linux images.
If you remove an image from the registry, or the registry becomes unavailable, Prisma Cloud maintains the scan results according to your setup under
Manage > System > Scan > Registry scan results. After the specified number of days, the scan results are purged.
Registry scan settings
Each rule has the following parameters, although the parameters can vary according to registry type. For step-by-step instructions for a registry from a specific vendor, see the appropriate registry-specific guide.
Specify the type of registry to scan.
Specify the URL for the registry.
Docker Hub:leave this field blank.
Harbor: specify the FQDN of your Harbor registry (https://).
Docker Hub:To specify an official Docker repository, enter library/, followed by the short string used to designate the repo. For example, to scan the images in the official Alpine Linux repository, enter library/alpine.
To specify non-official repositories, enter the user name or organization name, followed by a slash, followed by the name of the repo. For example, to specify the alpine repository in onescience’s account, enter onescience/alpine.
To scan all repos from a user or organization, simply enter the user or organization name, followed by a wildcard (*). For example, to scan all repos created by onescience, enter onescience*.
Harbor:Enter the name of the repository, followed by a wildcard (*). For example, to scan repository library, enter library*.
Any Docker Registry version 2 API compliant registry:Docker Hub, Docker Registry, and Alibaba Container Registry all support the Docker Registry version 2 API.
Specify an image tag. Leave this field blank to scan all tags (limited by the value in Cap).
Specify the credentials required to access the registry. If the credentials have already been created in the Prisma Cloud credential store, select it. If not, click
Public repositories on public registries (such as Docker Hub):Leave this field blank. No credentials are required.
AWS EC2 Container Registry:Use the IAM access keys for authentication. For more information, see Amazon EC2 Container Registry (ECR).
Google Container Registry:Use the service account and JSON token. For more information, Google Container Registry (GCR).
Harbor Registry:Create a
Basic authenticationcredential. Credentials for Harbor can be a
Specify whether the image is built on a Windows or Linux base OS.
Select collections of Defenders to scan this registry.
Only Linux Defenders can scan Linux container images, and only Windows Defenders can scan Windows container images. App-Embedded Defenders can’t be used for registry scanning.
Number of scanners
Number of Defenders from scope across which the scan job can be distributed. Increase the number of Defenders to increase throughtput and reduce scan time.
Specify the maximum number of images to scan in the given repository, sorted according to last modified date. That is, the most recently modified image in each repository is scanned first, followed by the image next most recently modified, and so on.
The Docker Registry API does not support directly querying for the most recently updated images. To handle your CAP setting, Prisma Cloud first polls the registry for all tags and manifests in the given repository to discover the last updated dates. This is a low overhead operation because images do not need to be downloaded. Prisma Cloud then sorts the results by date, and then scans the most recently updated images in each repository up to the limit specified by CAP. Even when CAP is set to a low number, you might still notice the Prisma Cloud UI polling the registry for data about the images in the repository.
To scan all images in a repository, set CAP to 0.
Version matching pattern
Customize sort order by values in the image tag. Specify a pattern from which a version or date can be extracted from the image tag. There are two use cases for specifying version matching patterns:
Specify patterns with strings, wildcards, timedate elements, and integers.
For image tags that match the pattern, the tag is split into its constituent parts. After all image tags are parsed, they’re ordered and capped according to the value set in Cap.
Ordering is best-effort. Tags that don’t conform to the pattern are ignored.
If both date and version are specified in your pattern, date takes precendence.
If the version matching pattern is left unspecified, Prisma Cloud orders images by last modified date.