Configure Registry Scans

Prisma Cloud can scan container images in public and private repositories on public and private registries.
A registry is a system that stores and distributes container images. The most well-known public registry is Docker Hub, but you can use other registries from Amazon, Google, and other providers. Your organization can set up its own internal private registries too. Prisma Cloud supports scanning container images on all these registries.
After you configure repository scanning, Prisma Cloud automatically scans images for vulnerabilities. By default, scans occur once every 24 hours, but you can configure periodic scans at specific intervals specified in
Manage > System > Scan

Configure Prisma Cloud to Scan a Registry

To scan images in a registry, create a new registry scan rule.
  1. On the Prisma Cloud Console, go to
    Defend > Vulnerabilities > Images > Registry settings
  2. Review the available settings.
  3. If the default values don’t fit your scenario, select
    Add registry
  4. Enter the registry fields, then select
  5. Select
    Save and scan
    If a registry scan is already in progress, you can stop the in-progress scan and start scanning for the latest changes using
    Scan now
    Or, you can select
    Save only
    to continue with the in-progress scan and save the latest changes. Once the current scan is complete, you can either manually trigger the latest scan or wait for the next scheduled scan.

Registry Scan Results

Verify that the images in the repository are being scanned.
From 22.12 release or later, you can add a maximum of 19,999 registry entries in
Defend > Vulnerabilities > Images > Registry settings
  1. Go to
    Monitor > Vulnerabilities > Images > Registries
    As the scan of each image is completed, its findings are added to the results table.
  2. Select an image to get details about the vulnerabilities in an image.
    To force a specific repository to be scanned again, select
    from the top right of the results table, then select a specific registry to re-scan. Alternatively, you can also scan an individual registry by selecting
    next to the registry, only if there is no other scan in progress.
    Last scan time
    of a registry is updated under
    Registry details > General info

On-demand Registry Scanning

You can trigger an on-demand scan for individual images with the Scan Registry API. This feature allows you to scan the images immediately and not wait for the next periodic scan. You can trigger multiple on-demand image scans without interrupting the main registry scanning process. However, every trigger is for a single image only.
For the on-demand scan, you must pre-define the image registry scope in the registry scanning configuration.

Deployment Patterns

Defenders handle registry scanning. When you configure registry scanning, you can select the scope of defenders used to perform the scans.
Any Container Defender running on a host with the Docker Engine container runtime or container runtime interface (CRI) can scan a registry, and any number of them can simultaneously operate as registry scanners. This flexibility gives you a lot of options when trying to determine how to cover disparate environments.
You can use host names or AWS tags to select a collection of defenders to distribute the scanning job between them, and use the
Number of scanners
setting to control how many defenders are included in the collection. When you select
collection, Prisma Cloud automatically distributes the scan job across all available defenders.
Configuring Prisma Cloud to use a large number of defenders reduces operational complexity and improves resiliency. During a scan, Prisma Cloud lists the available defenders based on the configured scope, manages the resource pool, and handles issues such as restarting partially completed jobs. If you explicitly select one or two defenders to handle scanning, the hosts running those defenders become a single point of failure. If that host fails or gets destroyed, you have to reconfigure your scan settings with different defenders.
The type of operating system (OS) scopes registry scanning. Windows defenders only scan Windows images, and Linux defenders only scan Linux images.
When you remove an image from the registry or the registry becomes unavailable, Prisma Cloud maintains the scan results for a specific number of days. You can configure the number of days under
Manage > System > Scan > Registry scan results
. After the specified number of days, the scan results are purged.

Registry Scan Steps

At a high level, defenders scan your registries following these steps.
  1. Scan registry settings one by one in sequential order.
  2. Discover the repositories based on your registry configuration.
  3. Discover the images using tags within each configured repository.
  4. Scan the discovered images.
In more detail, defenders scanning your registries follow this sequential flow to collect the metadata.
  1. Get a list of all repositories in the registry.
  2. For each repository, scanning defenders perform the following tasks.
    • Get a list of all image tags.
    • For each image tag, they get the image manifest containing the date the image was last modified.
  3. Once the metadata of all images is discovered, scanning defenders perform the following tasks.
    • Sort the images by the last modified date.
    • Cap the list of images based on the configured value. By default, lists are capped at five.
    • Scan the images.

Registry Scan Settings

You can set the following parameters for each rule, but the parameters can vary between registry types. If you use a specific registry provider, follow the appropriate step-by-step instructions in our guides.
Specify the type of registry to scan.
  • If you do not find your vendor’s registry in the drop-down list, try
    Docker Registry v2
    . Most vendors comply with the Docker Registry version 2 API.
Specify the URL for the registry.
Docker Hub:
leave this field blank.
: specify the FQDN of your Harbor registry (https://).
Nexus Registry:
<http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>
JFrog Artifactory:
Enter the Artifactory registry URL for JFrog Cloud (ending in *.io) or JFrog self-hosted whichever is applicable.
Repository name
Specify the repository to scan. This field supports pattern matching. To scan all repositories, simply leave this field blank or enter a wildcard (*).
Docker Hub:
To specify an official Docker repository, enter library/, followed by the short string used to designate the repo. For example, to scan the images in the official Alpine Linux repository, enter library/alpine.
To specify non-official repositories, enter the username or organization name, followed by a slash, followed by the name of the repo. For example, to specify the alpine repository in onescience’s account, enter onescience/alpine.
To scan all repos from a user or organization, simply enter the user or organization name, followed by a wildcard (*). For example, to scan all repos created by onescience, enter onescience*.
Google Cloud Platform Container Registry:
Enter your project ID and image name in the following format: project-id/image-name. To scan all images, follow the repository name with /*. (e.g. company-sandbox/*)
Enter the name of the repository, followed by a wildcard (*). For example, to scan the repository library, enter library*.
Any Docker V2 API compliant registry:
Docker Hub, Docker Registry, and Alibaba Container Registry all support the Docker Registry version 2 API.
Nexus Registry:
Leave blank or include a pattern to match the Docker repositories inside the Nexus registry. For example: To scan all the images under a path, include the
Repositories to exclude (Optional)
Specify repository names to exclude. Enter the repository name or pattern to exclude that repository from being scanned. Leave this field blank to scan all repositories.
Tag (Optional)
Specify an image tag. Leave this field blank to scan all tags (limited by the value in Cap).
Tags to exclude (Optional)
Specify tags to exclude. Leave blank to include all image tags (default).
Specify the credentials required to access the registry. If the credentials have already been created in the Prisma Cloud credential store, select it. If not, click
Add New
Public repositories on public registries (such as Docker Hub):
Leave this field blank. No credentials are required.
AWS EC2 Container Registry:
Use the IAM access keys for authentication. For more information, see Amazon EC2 Container Registry (ECR).
Google Container Registry:
Use the