Scan images on Artifactory Docker Registry

Artifactory is a service for hosting and distributing container images. Artifactory lets you segment the service by repository key, so that you can allocate dedicated registries per project, team, or any other facet. Repositories can be accessed with the Docker client. A repository is a collection of related images, versioned by tag.
Artifactory lets you configure how images in the repository are accessed with a setting called the Docker Access Method. Prisma Cloud supports the subdomain method and the repository method. The port method is not supported.
In the subdomain model, the repository is accessed through a reverse proxy. Each Docker repository is individually addressed by a unique value, known as the repository key, positioned in subdomain of the registry’s URL.
$ docker {pull|push} <REPOSITORY_KEY>.art.example.com/<IMAGE>:<TAG>
In the repository path model, each repository can be directly addressed. The repository key is part of the path to the image repo.
$ docker {pull|push} art.example.com:443/<REPOSITORY_KEY>/<IMAGE>:<TAG>
Artifactory recommends that the subdomain method be used for production environments. The repository model is suitable for small test setups and proof of concepts.

Configuring Prisma Cloud to scan images in your registry

To scan images in a JFrog Artifactory Docker registry (on-prem/self-hosted version only), create a new registry scan setting. You have a couple of options for setting up your scan on Prisma Cloud:
1) Autodiscover and scan all images in all repos across the Artifactory service for versions of Artifactory greater than or equal to 6.2.0. In the registry scan settings, set the version to
JFrog Artifactory
and set the registry address to your reverse proxy.
JFrog Cloud is not supported.
2) Scan all repositories under a repository key for the subdomain method. Repository keys effectively subdivide the Artifactory service into stand-alone fully-compliant Docker v2 registries. In the registry scan settings, set the version to
Docker Registry v2
, and set the registry address to the full path to the "sub-registry". For example: https://<REPOSITORY_KEY>.example.com/.
Prerequisites:
You have installed a Defender somewhere in your environment.

Last downloaded date

JFrog Artifactory lets security tools download image artifacts without impacting the value for the
Last Downloaded
date. This is especially important when you depend on artifact metadata for purge/clean-up policies.
The Prisma Cloud scanning process no longer updates the
Last Downloaded
date for all manifest files of all the images in the registry.
Requirements:
  • Supported for JFrog Artifactory version 7.21.3 and later.
  • In your Prisma Cloud registry scan settings, version must be set to
    JFrog Artifactory
    . If you set version to
    Docker V2
    , Prisma Cloud uses the Docker API, which doesn’t offer the same support.
The
Last Downloaded
date of the manifest files of the images that are eventually pulled for scanning, based on your registry scan policy, will be updated. The scan process first evaluates which images to scan by retrieving all manifest files for all images. In this phase of the scan, the
Last Downloaded
date will no longer be impacted. In the next phase, where Prisma Cloud actually pulls an image to be scanned, the manifest file’s
Last Downloaded
date will be updated. Often, the number of images scanned will be a subset of all images in the registry, but that’s based on your scan policy.
Just because an image has been selected for scanning, doesn’t mean that it will actually be pulled. If an image’s hash hasn’t changed, it won’t be pulled for scanning, so the
Last Downloaded
date will be unchanged.
As part of the process for evaluating which images should be scanned, in addition to reviewing the manifest files, Prisma Cloud also examines the actual images. As part of examining the image files, the
Last Downloaded
date for these images files is updated. In the next release of Prisma Cloud, this will be fixed so that the
Last Downloaded
date won’t change unless the image is actually pulled and scanned.

Grant Prisma Cloud access to your repo

When configuring Prisma Cloud to scan Artifactory as standard Docker v2 registries (i.e. in your scan configuration, you’ve set
Version
to
Docker registry v2
), Prisma Cloud requires only standard scanning permissions.
When configuring Prisma Cloud to autodiscover and scan all images in all repos across the Artifactory service (i.e. in your scan configuration, you’ve set
Version
to
JFrog Artifactory
), Prisma Cloud requires an account with Administrator privileges (admin user). This is because some of the Artifactory APIs that Prisma Cloud uses to perform disovery require Administrator privileges.
  1. Log in Prisma Cloud Console, then go to
    Manage > Authentication > Credentials Store
    .
  2. Click
    Add credential
    .
  3. Enter a credential name, such as
    JFrog Artifactory
    .
  4. In
    Type
    , select
    Basic authentication
    .
  5. In
    Username
    , enter a username.
  6. In
    Password
    , enter a password.
  7. Click
    Save
    .

Configure the scan

After you set up your credentials, create a new registry scan setting.
  1. Open Console, then go to
    Defend > Vulnerabilities > Registry
    .
  2. Click
    Add registry
    .
  3. In the dialog, enter the following information:
    1. From the
      Version
      drop-down list, select one of:
      • JFrog Artifactory
         — Autodiscover and scan all images in all repos across the Artifactory service. Only JFrog on-prem/self-hosted is supported.
      • Docker Registry v2
         — Scan all images in all repos under a specific repository key.
    2. In
      Registry
      , specify the address to scan.
      • If you selected
        JFrog Artifactory
        , enter the FQDN of the reverse proxy.
      • If you selected
        Docker Registry v2
        , enter the FQDN, including subdomain, of the sub-registry.
    3. In
      Repository
      , specify the repository to scan.
      If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all repositories in the registry.
      If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all repositories that start with the partial string.
      If you specify an exact match, Prisma Cloud scans just the specified repository.
    4. In
      Repository types
      , select the repository types that Prisma Cloud should scan.
      This setting is available only when
      Version
      is set to
      JFrog Artifactory
      . Specify at least one registry type (local, remote, virtual).
    5. Do the same with the
      Tag
      field.
    6. In
      Credential
      , select the JFrog Artifactory credentials you created.
    7. In
      OS type
      , specify whether the repo holds
      Linux
      or
      Windows
      images.
    8. In
      Scanners scope
      , specify the collections of defenders to use for the scan.
      Console selects the available Defenders from the scope to execute the scan job according to the
      Number of scanners
      setting. For more information, see deployment patterns.
    9. In
      Number of scanners
      , enter the number of Defenders across which scan jobs can be distributed.
    10. Cap
      the number of images to scan.
      Cap
      specifies the maximum number of images to scan in the given repository, sorted according to last modified date. To scan all images in a repository, set
      Cap
      to 0. For a complete explanation of
      Cap
      , see the table in registry scan settings.
    11. Click
      Add
      .
  4. Click the
    Save
    button.

Results

Verify that the images in the repository are being scanned.