Trigger Registry Scans with Webhooks
Table of Contents
Trigger Registry Scans with Webhooks
You can use webhooks to trigger a scan when images in your registry’s repositories are added or updated.
Prisma Cloud supports webhooks for:
Prisma Cloud requires Docker Registry 2.4 or later.
Google Container Registry and Amazon Elastic Container Registry do not currently support webhooks.
For Docker Hub, you must have Automated Builds enabled for your repository.
Docker Hub webhooks are called when an image is built or a new tag is added to your automated build repository.
For Docker Private Registry, webhooks are called when manifests are pushed or pulled, and layers are pushed or pulled.
Prisma Cloud scans images in response to layer push events.
For Azure Registry, you can configure webhooks for your container registry that generate events when certain actions are performed against it. See Azure’s documentation for more information.
The Console needs a valid and trusted certificate for the webhook to work on JFrog Cloud.
To trigger a webhook for JFrog Cloud registry, enter a valid and trusted certificate while configuring your self-hosted JFrog Artifactory.
Prisma Cloud also supports scheduled registry scans, with support for most of the registry types, including Google Container Registry and Amazon Elastic Container Registry.
Securing Console’s Management Port
Webhooks call the Prisma Cloud API on Console’s management ports over either HTTP or HTTPS.
Although it is convenient to test webhooks with HTTP, we strongly recommend that you set up webhooks to call Console over HTTPS.
To call webhooks over HTTPS, you must install a certificate trusted by the registry.
For more information about securing Console’s management port with a custom certificate, see
certificates customization for Console TLS communication.
By default, Prisma Cloud uses self-signed certificates to secure HTTP traffic.
Self-signed certificates are not supported (trusted) by Docker Hub, and Docker Registry would require you to configure Prisma Cloud as a trusted CA certificate (not supported, and not recommended).
Instead install a certificate signed by a trusted certificate authority (CA), such as Comodo or Symantec.
Setting up Webhooks
To set up webhook-initiated scans, configure your registry’s webhook with the URL provided in Console.
The following procedure shows you how to set up webhooks in Docker Hub.
Prerequisites:
Docker Hub, with Automated Builds enabled.- Open Console.
- Go toCompute > Defend > Vulnerabilities > Images > Registry settings.
- Go toDefend > Vulnerabilities > Images > Registry settings.
- InWebhooks, select the DNS name or IP address that the registry uses to reach Prisma Console. This generates a URL that you can use to configure the registry.
- InWebhooks, copy the URL to your webhook configuration.
- Configure your repository.The following sections show how to configure Docker Hub and Nexus Repository. For other repositories, consult the vendor’s documentation.
- Test the integration by triggering a build.
- Go toMonitor > Vulnerabilities > Images > Registriesto view the scan report. Prisma Cloud scans the image as soon as it is built.
Create a Webhook in Docker Hub
- Log in to Docker Hub.
- In your chosen repository, selectWebhooks.
- Enter a name for the webhook.
- Paste the webhook URL that you copied from Prisma Console.
- SelectCreate.
Create a Webhook in Nexus Repository
When setting up webhooks in Nexus Repository, select the "component" event type for triggering the webhooks.
