Scan images in Google Artifact Registry

Although Artifact Registry supports a number of content types (for example, Java, Node.js, and Python language packages), Prisma Cloud only supports discovering and scanning Docker images.
Prisma Cloud doesn’t support scanning Helm charts saved as OCI images and stored in Artifact Registry. Helm charts saved as OCI images have a single layer that contains the Helm package. It is only a way to store a Helm chart, but it has no meaning in terms of a container. Therefore, Prisma Cloud can’t scan it.

Create a new registry scan

Prerequisites:
  • You’ve deployed a Defender somewhere in your environment.
  • You’ve created GCP credentials (service account) with, at minimum, the Artifact Registry Reader role (.
  • You’ve added the service account credentials to the Prisma Cloud Compute Console credentials store under
    Manage > Cloud accounts
    .
  1. Open Console, then go to
    Defend > Vulnerabilities > Images > Registry settings
    .
  2. Click
    Add registry
    .
  3. In
    Version
    , select
    Google Artifact Registry
    .
  4. In
    Registry
    , enter the registry address.
    The format for the address is <GCP-region>-docker.pkg.dev.
    For example, europe-north1-docker.pkg.dev
    Multi-region registry addresses are also supported, <GCP-multi-region>-docker.pkg.dev. For example, us-docker.pkg.dev, europe-docker.pkg.dev, and asia-docker.pkg.dev.
  5. In the
    Credential
    field, select the service account you created in
    Manage > Cloud accounts
    .
    If the credentials haven’t been created already, click
    +
    to create them now. If creating credentials:
    1. In the
      Cloud accounts onboarding
      dialog, select
      GCP
      for the cloud provider.
    2. Enter a credential name.
    3. Select the credential level.
    4. Paste the JSON token blob from your service account into the
      Service Account
      field. Leave the
      API Token
      field blank.
    5. Click
      Next
      .
    6. Disable agentless scanning, then click
      Next
      .
    7. Disable cloud discovery, then click
      Add account
      .
  6. (Optional) Refine which images Prisma Cloud should scan with the
    Repositories
    ,
    Repositories to exclude
    ,
    Tags
    , and
    Tags to exclude
    fields.
    Pattern matching is supported.
  7. In
    OS type
    , specify whether the repo holds
    Linux
    or
    Windows
    images.
  8. In
    Scanners scope
    , select the Defenders to use for the scan.
    Console selects the available Defenders from this scope to execute the scan job. For more information, see deployment patterns.
  9. In
    Number of scanners
    , enter the number of Defenders across which scan jobs can be distributed.
  10. Set
    Cap
    to the number of most recent images to scan.
    Leaving
    Cap
    set to
    5
    will scan the 5 most recent images. Setting this field to
    0
    will scan all images.
  11. Click
    Add
    .
  12. Click
    Save and scan
    .

Results

Verify that the images in the repository are being scanned.
  1. Go to
    Monitor > Vulnerabilities > Images > Registries
    .
    A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, the findings are added to the results table.
  2. To get details about the vulnerabilities in an image, click on it.
    To force a specific repository to be scanned again, click
    Scan
    at the top right of the results table, and then click on the specific repository to rescan.

Recommended For You