Scan Images in Sonatype Nexus Registry
Table of Contents
Scan Images in Sonatype Nexus Registry
To scan a repository in Sonatype Nexus Registry, create a new registry scan setting.
Prerequisites
- You have installed a Container Defender somewhere in your environment.
- Configure the connector port for the Docker engine to connect to the Nexus registry.The Docker client needs the Docker registry exposed at the root of the host together with the port that it is accessing. Nexus offers several methods to overcome this limitation, one of which is the connector port method, which Prisma Cloud supports.
- From the Nexus web portal, select the Administration screen.
- Select the Nexus Repository.
- SelectOnlineto allow the Nexus repository to accept the incoming requests.
- Configure the Docker repository connector to use an HTTP or HTTPS port.
- The Defender can establish a connection with the Nexus registry over the connector port that you configured in the Nexus registry.Ensure that the port is open for the image to be accessed successfully.
Add a Nexus registry in Prisma Cloud
- Log in to Console, and selectCompute > Defend > Vulnerabilities > Registry.
- SelectAdd registry.
- In theAdd New Registry Setting Specification, enter the following values:
- In theVersiondrop-down list, selectSonatype Nexus.
- InRegistry, enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server.The format for the FQDN is<hostname>:<connector_port>, where<hostname>is a unique value specified when the registry was created, and the<connector_port>is the one you configured in the Nexus repository administration.Example:<http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>.
- Leave theRepositoryblank or include a pattern to match the Docker repositories inside the Nexus registry.For example: To scan all the images under a path, include thepath/tostring.
- InTag, enter an image tag. Leave this field blank to scan all images, regardless of their tag.
- InCredential, configure how Prisma Cloud authenticates with Nexus registry.Select a credential from the drop-down list.If there are no credentials in the list, clickAddto create new credentials and select the Basic authentication.
- InOS type, specify whether the repo holdsLinuxorWindowsimages.
- InScanners scope, specify the collections of defenders to use for the scan.Console selects the available Defenders from the scope to execute the scan job according to theNumber of scannerssetting. For more information, see deployment patterns.
- InNumber of scanners, enter the number of Defenders across which scan jobs can be distributed.
- InCap, limit the number of images to scan.SetCapto5to scan the five most recent images, or enter a different value to increase or decrease the limit. SetCapto0to scan all images.
- SelectAdd.
- SelectSave and scan.
View Results
Verify that the images in the repository are being scanned.
- Go toMonitor > Vulnerabilities > Images > Registries.A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, the finding results display in the table.
- To get details about the vulnerabilities in an image, click on it.To force a specific repository to be scanned again, selectScanfrom the top right of the results table, then click on the specific registry to rescan.
Troubleshooting
Prisma Cloud failed to pull images from the Nexus repository
Monitor > Vulnerabilities > Images > Registries
shows the following error:
- Ensure that you have installed Defender on the host on which the Nexus registry is installed.
- Verify that you can pull the nexus registry using the docker command.
- Create a Nexus repository connector port as mentioned in the Prerequisites.
- Add a Nexus registry in Prisma Cloud using the connector port in the Registry URL.