Scan Images in Sonatype Nexus Registry

To scan a repository in Sonatype Nexus Registry, create a new registry scan setting.

Prerequisites

  • You have installed a Container Defender somewhere in your environment.
  • Configure the connector port for the Docker engine to connect to the Nexus registry.
    The Docker client needs the Docker registry exposed at the root of the host together with the port that it is accessing. Nexus offers several methods to overcome this limitation, one of which is the connector port method, which Prisma Cloud supports.
    1. From the Nexus web portal, select the Administration screen.
    2. Select the Nexus Repository.
    3. Select
      Online
      to allow the Nexus repository to accept the incoming requests.
    4. Configure the Docker repository connector to use an HTTP or HTTPS port.
  • The Defender can establish a connection with the Nexus registry over the connector port that you configured in the Nexus registry.
    Ensure that the port is open for the image to be accessed successfully.

Add a Nexus registry in Prisma Cloud

  1. Log in to Console, and select 
    Compute > Defend > Vulnerabilities > Registry
    .
  2. Select
    Add registry
    .
  3. In the
    Add New Registry Setting Specification
    , enter the following values:
    1. In the
      Version
      drop-down list, select 
      Sonatype Nexus
      .
    2. In
      Registry
      , enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server.
      The format for the FQDN is
      <hostname>:<connector_port>
      , where
      <hostname>
      is a unique value specified when the registry was created, and the
      <connector_port>
      is the one you configured in the Nexus repository administration.
      Example:
      <http|https://<nexus_hostname>:<HTTP/HTTPS connector port for the specific Nexus repo>
      .
    3. Leave the
      Repository
      blank or include a pattern to match the Docker repositories inside the Nexus registry.
      For example: To scan all the images under a path, include the
      path/to
      string.
    4. In
      Tag
      , enter an image tag. Leave this field blank to scan all images, regardless of their tag.
    5. In
      Credential
      , configure how Prisma Cloud authenticates with Nexus registry.
      Select a credential from the drop-down list.
      If there are no credentials in the list, click 
      Add
      to create new credentials and select the Basic authentication.
    6. In
      OS type
      , specify whether the repo holds
      Linux
      or
      Windows
      images.
    7. In
      Scanners scope
      , specify the collections of defenders to use for the scan.
      Console selects the available Defenders from the scope to execute the scan job according to the
      Number of scanners
      setting. For more information, see deployment patterns.
    8. In
      Number of scanners
      , enter the number of Defenders across which scan jobs can be distributed.
    9. In
      Cap
      , limit the number of images to scan.
      Set
      Cap
      to
      5
      to scan the five most recent images, or enter a different value to increase or decrease the limit. Set
      Cap
      to
      0
      to scan all images.
    10. Select
      Add
      .
  4. Select
    Save and scan
    .

View Results

Verify that the images in the repository are being scanned.
  1. Go to
    Monitor > Vulnerabilities > Images > Registries
    .
    A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, the finding results display in the table.
  2. To get details about the vulnerabilities in an image, click on it.
    To force a specific repository to be scanned again, select
    Scan
    from the top right of the results table, then click on the specific registry to rescan.

Troubleshooting

  1. Ensure that you have installed Defender on the host on which the Nexus registry is installed.
  2. Verify that you can pull the nexus registry using the docker command.
  3. Create a Nexus repository connector port as mentioned in the Prerequisites.
  4. Add a Nexus registry in Prisma Cloud using the connector port in the Registry URL.

Recommended For You