Container Registry Scanning
With Image Assurance, CloudGuard can scan container images on these private registries:
-
Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Container Registry A collection of repositories used to store and access container images. (ACR)
-
AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Elastic Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry (ECR)
-
Google Cloud Container Registry (GCR)
-
Google Artifact Registry (GAR)
-
Harbor Registry
-
JFrog Artifactory
-
Nexus
-
GitHub Container Registry
-
Quay.io Container Registry
|
Note - GAR repositories can store helm charts in image format together with the actual docker images. If your repositories include helm charts in addition to images, CloudGuard shows them with the Not an image scan status. |
To onboard your container registry to CloudGuard, see Onboarding Container Registries. These are two options to scan your Container Registry in CloudGuard:
-
Link it to a Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster that has the ImageScan agents scanning your registry
-
Deploy ImageScan with an AWS ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner (available for selected types of registry)
The Image Assurance agents deployed on a cluster scan new images as they appear, on this cluster and on a linked ACR, ECR, or GCR container registry.
|
Note - Registry scanning requires Image Assurance agent version 2.10.0 or higher included in the CloudGuard Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart version 2.11.1 or higher. See Upgrading the Agent for more information. |
AWS ECS Image Assurance
To launch containers, Amazon ECS uses Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. images in task definitions. The Docker images are commonly hosted in AWS ECR registries.
CloudGuard provides scanning results for the AWS ECS Docker images based on the inventory information of the onboarded AWS environment and ECR scanning. Installation of CloudGuard agents in the AWS ECS clusters is not necessary.
Prerequisites
Before you start, make sure to:
-
Onboard the AWS environment to CloudGuard with the relevant ECS clusters
-
Configure the ECR Container Registry Scanning for the ECR registry, that is, onboard to CloudGuard the ECR registry that hosts the Docker images of AWS ECS containers. For more details, see Onboarding AWS Elastic Container Registry.
-
Enable the AWS ECS images scanning for the AWS environment with this API call:
https://api.dome9.com/v2/ecs/configuration/{cloudAccountId}
Known Limitations
-
By default, CloudGuard adds to Protected Assets and scans only 10 recent images of each repository. You can change the default value with the API call (maximal number is 1000 for a JFrog Artifactory and Sonatype Nexus). For more information, see the API Reference Guide.
-
Scanning Windows container images is not supported.
-
For JFrog Artifactory, it can take about 20 minutes that the images start to show for the first time.
-
For JFrog Artifactory and Sonatype Nexus, the maximal number of tags per repository is 1000. Container images from the repositories with more than 1000 tags are neither shown as protected assets, nor scanned. The number is limited due to extensive API calls and performance considerations.
-
To receive scanning results, ECS images must be onboarded in the same CloudGuard account as the Private ECR that scans them.
-
CloudGuard creates ECS images only for running tasks.
Actions
To see the results of scanning, in CloudGuard, navigate to Workload Protection > Containers Assets > Images. For more details, see Images.
A container registry must have a Kubernetes cluster linked to it to scan the images.
-
Navigate to Workload Protection > Container Assets > Environments and select your container registry.
-
On the Scanners page, find the scanning environment (cluster).
-
In the Actions column, click Unlink.
-
In the confirmation message, click Save. CloudGuard informs you that the container registry is unlinked successfully.
The cluster stops to scan the registry, and the registry does not appear anymore in the cluster's list.
More Links