: Scan Images in Sonatype Nexus Registry

Scan Images in Sonatype Nexus Registry

Table of Contents

Scan Images in Sonatype Nexus Registry

To scan a repository in Sonatype Nexus Registry, create a new registry scan setting.


  • You have installed a Container Defender somewhere in your environment.
  • Configure the connector port for the Docker engine to connect to the Nexus registry.
    The Docker client needs the Docker registry exposed at the root of the host together with the port that it is accessing. Nexus offers several methods to overcome this limitation, one of which is the connector port method, which Prisma Cloud supports.
    1. From the Nexus web portal, select the Administration screen.
    2. Select the Nexus Repository.
    3. Select
      to allow the Nexus repository to accept the incoming requests.
    4. Configure the Docker repository connector to use an HTTP or HTTPS port.
  • The Defender can establish a connection with the Nexus registry over the connector port that you configured in the Nexus registry.
    Ensure that the port is open for the image to be accessed successfully.

Configure a Nexus Registry in Prisma Cloud

  1. Log in to Console, and select 
    Compute > Defend > Vulnerabilities > Images > Registry settings
  2. Select
    Add registry
  3. In the
    Add New Registry Setting Specification
    , enter the following values:
    1. In the
      drop-down list, select 
      Sonatype Nexus
    2. In
      , enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server.
      The format for the FQDN is
      , where
      is a unique value specified when the registry was created, and the
      is the one you configured in the Nexus repository administration.
      <http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>
    3. Leave the
      blank or include a pattern to match the Docker repositories inside the Nexus registry.
      For example: To scan all the images under a path, include the
    4. Optionally enter the Repositories to exclude them from being scanned.
    5. In
      , enter an image tag. Leave this field blank to scan all images, regardless of their tag.
    6. Optionally, enter Tags to exclude, to avoid scanning images with specified tags.
    7. In
      , configure how Prisma Cloud authenticates with Nexus registry.
      Select a credential from the drop-down list.
      If there are no credentials in the list, 
      new credentials and select the Basic authentication.
    8. You can optionally enter a custom
      CA certificate
      in PEM format for Prisma Cloud to validate the Nexus registry.
      Custom CA certificate validation is supported only for non-Docker nodes (e.g. OpenShift).
      Ensure that the Custom CA certificate that you use is not revoked by the issuing authority.
    9. In
      OS type
      , specify whether the repo holds
    10. In
      Scanners scope
      , specify the collections of defenders to use for the scan.
      Console selects the available Defenders from the scope to execute the scan job according to the
      Number of scanners
      setting. For more information, see deployment patterns.
    11. In
      Number of scanners
      , enter the number of Defenders across which scan jobs can be distributed.
    12. In
      , limit the number of images to scan.
      to scan the five most recent images, or enter a different value to increase or decrease the limit. Set
      to scan all images.
  4. Select
    Add and scan
    Verify that the images in the repository are being scanned under
    Monitor > Vulnerabilities > Images > Registries


  1. Ensure that you have installed Defender on the host on which the Nexus registry is installed.
  2. Verify that you can pull the nexus registry using the docker command.
  3. Create a Nexus repository connector port as mentioned in the Prerequisites.
  4. Configure a Nexus Registry in Prisma Cloud using the connector port in the Registry URL.

Recommended For You