Document:Prisma Cloud Administrator’s Guide (Compute)

Scan Images in Sonatype Nexus Registry

Download PDF

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- Search CVEs
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Scan Images in Sonatype Nexus Registry

Edit on GitHub

To scan a repository in Sonatype Nexus Registry, create a new registry scan setting.

Prerequisites

You have installed a Container Defender somewhere in your environment.

Configure the connector port for the Docker engine to connect to the Nexus registry.

The Docker client needs the Docker registry exposed at the root of the host together with the port that it is accessing. Nexus offers several methods to overcome this limitation, one of which is the connector port method, which Prisma Cloud supports.

From the Nexus web portal, select the Administration screen.

Select the Nexus Repository.

Select Online
to allow the Nexus repository to accept the incoming requests.

Configure the Docker repository connector to use an HTTP or HTTPS port.

The Defender can establish a connection with the Nexus registry over the connector port that you configured in the Nexus registry.

Ensure that the port is open for the image to be accessed successfully.

Add a Nexus registry in Prisma Cloud

Select Add registry
.

In the Add New Registry Setting Specification
, enter the following values:

In the Version
drop-down list, select Sonatype Nexus
.

In Registry
, enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server.

The format for the FQDN is <hostname>:<connector_port>
, where <hostname>
is a unique value specified when the registry was created, and the <connector_port>
is the one you configured in the Nexus repository administration.

Example: <http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>
.

https://ec2-100-25-223-135.compute-1.amazonaws.com:8083

Leave the Repository
blank or include a pattern to match the Docker repositories inside the Nexus registry.

For example: To scan all the images under a path, include the path/to
string.

Optionally enter the Repositories to exclude them from being scanned.

In Tag
, enter an image tag. Leave this field blank to scan all images, regardless of their tag.

Optionally, enter Tags to exclude, to avoid scanning images with specified tags.

In Credential
, configure how Prisma Cloud authenticates with Nexus registry.

Select a credential from the drop-down list.

If there are no credentials in the list, Add
new credentials and select the Basic authentication.

You can optionally enter a custom CA certificate
in PEM format for Prisma Cloud to validate the Nexus registry.

Custom CA certificate validation is supported only for non-Docker nodes (e.g. OpenShift).

Ensure that the Custom CA certificate that you use is not revoked by the issuing authority.

In OS type
, specify whether the repo holds Linux
or Windows
images.

In Scanners scope
, specify the collections of defenders to use for the scan.

Console selects the available Defenders from the scope to execute the scan job according to the Number of scanners
setting. For more information, see deployment patterns.

In Number of scanners
, enter the number of Defenders across which scan jobs can be distributed.

In Cap
, limit the number of images to scan.

Set Cap
to 5
to scan the five most recent images, or enter a different value to increase or decrease the limit. Set Cap
to 0
to scan all images.

Select Add
.

Select Save and scan
.

Verify that the images in the repository are being scanned under Monitor > Vulnerabilities > Images > Registries
.

Troubleshooting

Prisma Cloud failed to pull images from the Nexus repository

Monitor > Vulnerabilities > Images > Registries
shows the following error:

ERRO 2022-06-07T06:55:39.046 scanner.go:110 Failed to pull image cybersecurity/conjur/test-app:latest, error Error initializing source docker://nexus.nedigital.sg/cybersecurity/conjur/test-app:latest: error pinging docker registry nexus.nedigital.sg: invalid status code from registry 400 (Bad Request)

Ensure that you have installed Defender on the host on which the Nexus registry is installed.

Verify that you can pull the nexus registry using the docker command.

Create a Nexus repository connector port as mentioned in the Prerequisites.

Add a Nexus registry in Prisma Cloud using the connector port in the Registry URL.

Document:Prisma Cloud Administrator’s Guide (Compute)

Scan Images in Sonatype Nexus Registry

Table of Contents

Scan Images in Sonatype Nexus Registry

Prerequisites

Add a Nexus registry in Prisma Cloud

Troubleshooting

Most Popular