Prisma Cloud Compute Edition Administrator’s Guide
    : Scan Images in JFrog Artifactory Docker Registry
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Vulnerability management
    6. Registry scanning
    7. Scan Images in JFrog Artifactory Docker Registry
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Scan Images in JFrog Artifactory Docker Registry

    Table of Contents

    Scan Images in JFrog Artifactory Docker Registry

    An Artifactory Docker registry is a hosted collection of Docker repositories, that you can access transparently with Docker client. JFrog Artifactory provides both Cloud (SaaS) and Self-hosted (On-prem) versions.
    Artifactory lets you configure how images in the repository are accessed with a setting called the Docker Access Method.
    Prisma Cloud supports the subdomain method and the repository method. The ports method is not supported.
    Artifactory recommends that the subdomain method be used for production environments. The repository model is suitable for small test setups and proof of concepts.
    In the subdomain model, the repository is accessed through a reverse proxy. Each Docker repository is individually addressed by a unique value, known as the repository key, positioned in the subdomain of the registry’s URL.
    In the repository path model, each repository can be directly addressed. The repository key is part of the path to the image repo.
    Create a new registry scan setting to scan images in the Artifactory Docker registry.

    Configure a JFrog Artifactory Docker Registry Scan

    Prerequisites:
    • You have installed a container Defender somewhere in your environment.
    • You can connect to the Docker client and pull an image from your Artifactory registry.
    • Set up JFrog credentials with basic authentication in Credentials store and grant Prisma Cloud access to your repository in JFrog Artifactory.
    1. Log in to Console, and select
      Defend > Vulnerabilities > Images > Registry settings
      .
    2. Select
      Add registry
      .
    3. In
      Add New Registry
      , enter the following values:
      1. In
        Version
        , select one of:
        JFrog Artifactory
         - Auto-discover and scan all images in all repos across the Artifactory service for versions of Artifactory greater than or equal to 6.2.0.
        Docker Registry v2
         - Scan all images in all repos under a specific repository key for the subdomain method. Repository keys effectively subdivide the Artifactory service into stand-alone fully compliant Docker v2 registries.
      2. In
        Registry
        , specify the address to scan.
        If you selected
        JFrog Artifactory
        , enter the FQDN of the reverse proxy for the on-prem or Cloud registry URL of JFrog Cloud.
        If you selected
        Docker Registry v2
        , enter the FQDN, including subdomain, of the sub-registry, for example: https://<REPOSITORY_KEY>.example.com/.
      3. In
        Repository
        , specify the repository to scan.
        If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all repositories in the registry.
        If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all repositories that start with the partial string.
        If you specify an exact match, Prisma Cloud scans just the specified repository.
      4. Optionally enter the
        Repositories to exclude
         them from being scanned.
      5. In
        Repository types
        , select the repository types that Prisma Cloud should scan.
        This setting is available only when
        Version
         is set to
        JFrog Artifactory
        . Specify at least one of the repository types (local, remote, virtual) hosted by JFrog.
        To scan only cached images in a repo, use
        virtual repo
        .
      6. Enter
        Tag
         numbers to scan, leave blank, or enter a wildcard (*) to scan all the tags.
      7. Optionally, enter
        Tags to exclude
        , to avoid scanning images with specified tags.
      8. In
        Credential
        , select the JFrog Artifactory credentials you created in the prerequisites section.
      9. You can optionally enter a custom
        CA certificate
         in PEM format for Prisma Cloud to validate the registry only for JFrog On-prem. A custom CA certificate is not applicable for JFrog Cloud, as the certificates are managed by the provider.
        However, for the JFrog Cloud webhook to trigger a registry scan for the images in JFrog Cloud, you must enter a valid and trusted certificate and not a self-signed certificate.
        Custom CA certificate validation is supported only for non-Docker nodes (such as, OpenShift).
        Only Defenders installed on CRI runtime with containerd can scan and validate the custom CA certificate. Ensure that the Custom CA certificate that you use is not revoked by the issuing authority.
        Place the CA certificate (ca.cert) file in any of the following paths. The defender searches for the certificate files in the below directories in the following precedence:
      10. In
        OS type
        , specify whether the repo holds
        Linux
         or
        Windows
         images.
      11. In
        Scanners scope
        , specify the collections of Defenders to use for the scan.
        The Console selects the available Defenders from the scope to execute the scan job according to the
        Number of scanners
         setting. For more information, see deployment patterns.
      12. In
        Number of scanners
        , enter the number of Defenders across which scan jobs can be distributed.
      13. Cap
         the number of images to scan.
        Cap
         specifies the maximum number of images to scan in the given repository, sorted according to the last modified date.
        To scan all images in a repository, set
        Cap
         to 0.
        For a complete explanation of
        Cap
        , see the table in registry scan settings.
    4. Select
      Add and scan
      .
      Verify that the images in the repository are being scanned under
      Monitor > Vulnerabilities > Images > Registries
      .

    Scan Cached Images in a Repo

    1. To only scan the cached images in a repo, use
      Repository type
       as
      virtual repo
      .
      1. artifactory.docker.cache.remote.repo.tags.and.catalog=<upstream-url>, where, <upstream url> is a single URL or a list of repository URLs that you want to configure as a remote repository.
      2. artifactory.docker.catalogs.tags.fallback.fetch.remote.cache=true. This enables all repositories that fail to get a response from the upstream to retrieve results from the cache.
    3. Restart the artifactory for the changes to take effect. Refer to the JFrog documentation here.
    4. Refresh/delete the repository.catalog file from the remote cache before running any scans.
      Starting with jFrog server > 7.41.2, new images will get updated automatically in the repository.catalog file, so there is no need to delete the file to update it.
    5. Scan the virtual repo with Prisma Cloud registry scanning.

    Last Downloaded Date

    JFrog Artifactory lets security tools download image artifacts without impacting the value for the
    Last Downloaded
     date. This is especially important when you depend on artifact metadata for purge/clean-up policies.
    The Prisma Cloud scanning process no longer updates the
    Last Downloaded
     date for all images and manifest files of all the images in the registry.
    Requirements
    :
    JFrog Artifactory version 7.21.3 and later.
    In your Prisma Cloud registry scan settings, the version must be set to
    JFrog Artifactory
    . If you set the version to
    Docker V2
    , Prisma Cloud uses the Docker API, which doesn’t offer the same support.
    "Transparent security tool scanning" is
    not
     supported for anything other than
    Local
     repositories. If you select anything other than
    Local
     in your scan configuration, including virtual repos backed by local repos, then Prisma Cloud automatically uses the Docker API to scan all repositories (local, remote, and virtual). When using Docker APIs, the
    Last Downloaded
     field in local JFrog Artifactory registries will be impacted by scanning.
    The following screenshot shows the supported configuration for this capability:
    If you’ve got a mix of local, remote, and virtual repositories, and you want to ensure that the
    Last Downloaded
     date isn’t impacted by Prisma Cloud scanning, then create separate scan configurations for local repositories and remote/virtual repositories.
    The
    Last Downloaded
     date of the image and manifest files of the images that are eventually pulled for scanning, based on your registry scan policy, will be updated. The scan process first evaluates which images to scan by retrieving all manifest files for all images. In this phase of the scan, the
    Last Downloaded
     date will no longer be impacted. In the next phase, where Prisma Cloud pulls an image to be scanned, the manifest file’s
    Last Downloaded
     date will be updated. Often, the number of images scanned will be a subset of all images in the registry, but that’s based on your scan policy.
    Just because an image has been selected for scanning, doesn’t mean that it will actually be pulled. If an image’s hash hasn’t changed, it won’t be pulled for scanning, so the
    Last Downloaded
     date will be unchanged.

    Troubleshooting

    If Artifactory is deployed as an insecure registry, Defender cannot pull images for scanning without first configuring an exception in the Docker daemon configuration. Specify the URL of the insecure registry on the machine where the registry scanning Defender runs, then restart the Docker service. For more information, see the Docker documentation.
    Failed to create docker client
    You might see the following error in the screenshot if you try to scan JFrog Cloud with the Defender version earlier than 22.12.415.
    To fix this error, update your Console and Defender equal to or higher than 22.12.415.
    Remote repository scan would either pull all images or no images
    When scanning a remote repository configured in JFrog, one of the two scenarios may occur:
    Scanning the remote repository returns and downloads the entire list of images - which results in an Out-Of-Memory error on the host. Scanning the remote repository returns no images - which returns a null list of images.
    A sample log output from the Defender logs with repository "discovered: 0":
    DEBU 2022-02-16T21:34:44.215 ws.go:432 Received message with type discoverRegistryRepos
DEBU 2022-02-16T21:34:44.215 scanner.go:246 Discovering repositories in registry [https://jm-jfrog:443]( https://jm-jfrog/)
DEBU 2022-02-16T21:34:49.354 scanner.go:277 Repository discovery completed (completed: true, discovered: 0, time: 5.14)

    Fix Out-Of-Memory or no Images Found Error

    1. Create a virtual repo in JFrog that points to the remote repository that you want to scan.
      1. Setting this to "true" means that all repositories that fail to get a response from the upstream should retrieve results from the cache.
    3. Restart the artifactory for the changes to take effect. Refer to the JFrog documentation here.
    4. Refresh/delete the repository.catalog file from the remote cache before running any scans.
    5. Go to
      Prisma Cloud Compute > Defend > Vulnerabilities > Images > Registry Settings > Registries > Add registry
      .
    6. Enter the
      Registry
       URL.
    7. Enter the
      Repository
       URL of the virtual repository that you created in JFrog.
    8. Select the
      Repository types
       as
      Virtual
      .

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.