Scan images in Google Container Registry (GCR)
Create a new registry scan
- GCR access is governed by Google’s storage permissions. For Prisma Cloud to scan GCR, your service account must have the GCP IAMStorage Object Viewerrole (see https://cloud.google.com/container-registry/docs/access-control#permissions_and_roles).
- Open Console, then go toDefend > Vulnerabilities > Registry.
- ClickAdd registry.
- In theVersionfield, selectGoogle Container Registry.
- Enter the registry address in theRegistryfield (e.g. gcr.io).
- Enter the repository name followed by /* in theRepositoryfield (e.g. company-sandbox/*).
- In theCredentialfield, enter the credentials required to access the registry. If the credentials have already been created in the Prisma Cloud credential store, select it. If not, clickAddto create new credentials.
- Select theGCPcredential type and credential level, then paste the JSON token blob from your service account into theService Accountfield. Leave theAPI Tokenfield blank.For GCP organizations with hundreds of projects, scanning GCR using organization level credentials might affect the scanning performance due to long query time from GCP. Therefore, the best approach to reduce scan time and to avoid potential timeouts, is to divide the projects within your organization into multiple GCP folders. Then, create a service account and credential for each one of them, and use these credentials for GCR scanning.
- Save your credentials.
- InOS type, specify whether the repo holdsLinuxorWindowsimages.
- InScanners scope, specify the collections of defenders to use for the scan.Console selects the available Defenders from the scope to execute the scan job according to theNumber of scannerssetting. For more information, see deployment patterns.
- InNumber of scanners, enter the number of Defenders across which scan jobs can be distributed.
- SetCapto the number of most recent images to scan.LeavingCapset to5will scan the 5 most recent images. Setting this field to0will scan all images.
- Click theSavebutton.
Verify that the images in the repository are being scanned.
- Go toMonitor > Vulnerabilities > Images > Registries.A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, its findings are added to the results table.
- To get details about the vulnerabilities in an image, click on it.To force a specific repository to be scanned again, selectScanfrom the top right of the results table, then click on the specific registry to rescan.