Prisma Cloud Registry and Serverless Repository Scanning
After you build your Docker images or Serverless functions, you need
somewhere to store them. You could use an on-premises registry, a hosted
solution, or some combination of both. Either way, you will want to
continually scan these images against the latest available threat data.
To scan a registry, Prisma Cloud uses the registry’s APIs to list and pull
the images to the local system. Prisma Cloud then deconstructs and
inventories each image, cross-referencing the threat data from the
Intelligence Stream
to identify vulnerable packages.
By default, registry images are scanned once per day, but the period is
configurable.
Prisma Cloud must have the same network connectivity and credentials that
would be required run docker pull. Firewalls must be configured
correctly and the correct access credentials must be provided.
Prisma Cloud supports Docker v1 and v2 registries, as well as the
registries provided by Amazon, Google and Microsoft. For registries that
implement the Catalog API, you can use wildcards to specify which
repositories to scan - or you can leave the repository name or label
blank and all repositories will be scanned. Prisma Cloud also supports PCF
Blobstores, the rough equivalent of a Docker container registry.
Finally, Prisma Cloud supports webhook integration. When using Docker Hub
and Docker Trusted Registry, Prisma Cloud scans can be triggered as soon as
an image is uploaded. For more information about setting up webhooks,
see this
support article.
Prisma Cloud can also automatically watch your serverless repositories,
much like the registry scanning capabilities Prisma Cloud will continually
monitor your serverless function repos for changes and scan them
automatically, providing you with vulnerability and compliance reporting
against the policies you define. For more information on this
capability, see this
support article.