Scan Images in Sonatype Nexus Registry
Table of Contents
Scan Images in Sonatype Nexus Registry
To scan a repository in Sonatype Nexus Registry, create a new registry scan setting.
Prerequisites
- You have installed a Container Defender somewhere in your environment.
- Configure the connector port for the Docker engine to connect to the Nexus registry.The Docker client needs the Docker registry exposed at the root of the host together with the port that it is accessing. Nexus offers several methods to overcome this limitation, one of which is the connector port method, which Prisma Cloud supports.
- From the Nexus web portal, select the Administration screen.
- Select the Nexus Repository.
- SelectOnlineto allow the Nexus repository to accept the incoming requests.
- Configure the Docker repository connector to use an HTTP or HTTPS port.
- The Defender can establish a connection with the Nexus registry over the connector port that you configured in the Nexus registry.Ensure that the port is open for the image to be accessed successfully.
Configure a Nexus Registry in Prisma Cloud
- Log in to Console, and selectCompute > Defend > Vulnerabilities > Images > Registry settings.
- SelectAdd registry.
- In theAdd New Registry Setting Specification, enter the following values:
- In theVersiondrop-down list, selectSonatype Nexus.
- InRegistry, enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server.The format for the FQDN is<hostname>:<connector_port>, where<hostname>is a unique value specified when the registry was created, and the<connector_port>is the one you configured in the Nexus repository administration.Example:<http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>.
- Leave theRepositoryblank or include a pattern to match the Docker repositories inside the Nexus registry.For example: To scan all the images under a path, include thepath/tostring.
- Optionally enter the Repositories to exclude them from being scanned.
- InTag, enter an image tag. Leave this field blank to scan all images, regardless of their tag.
- Optionally, enter Tags to exclude, to avoid scanning images with specified tags.
- InCredential, configure how Prisma Cloud authenticates with Nexus registry.Select a credential from the drop-down list.If there are no credentials in the list,Addnew credentials and select the Basic authentication.
- You can optionally enter a customCA certificatein PEM format for Prisma Cloud to validate the Nexus registry.Custom CA certificate validation is supported only for non-Docker nodes (e.g. OpenShift).Ensure that the Custom CA certificate that you use is not revoked by the issuing authority.
- InOS type, specify whether the repo holdsLinuxorWindowsimages.
- InScanners scope, specify the collections of defenders to use for the scan.Console selects the available Defenders from the scope to execute the scan job according to theNumber of scannerssetting. For more information, see deployment patterns.
- InNumber of scanners, enter the number of Defenders across which scan jobs can be distributed.
- InCap, limit the number of images to scan.SetCapto5to scan the five most recent images, or enter a different value to increase or decrease the limit. SetCapto0to scan all images.
- SelectAdd and scan.Verify that the images in the repository are being scanned underMonitor > Vulnerabilities > Images > Registries.
Troubleshooting
Prisma Cloud failed to pull images from the Nexus repository
Monitor > Vulnerabilities > Images > Registries
shows the following error:
- Ensure that you have installed Defender on the host on which the Nexus registry is installed.
- Verify that you can pull the nexus registry using the docker command.
- Create a Nexus repository connector port as mentioned in the Prerequisites.
- Configure a Nexus Registry in Prisma Cloud using the connector port in the Registry URL.