Onboarding Sonatype Nexus Registry

To configure container registry scanning of a Sonatype Nexus environment, you need to onboard the environment to CloudGuard. CloudGuard discovers only the hosted type of Sonatype Nexus Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. repositories and scans images in these repositories only.

Prerequisites

Before onboarding your Container Registry A collection of repositories used to store and access container images. for scanning, select a type of hosting environment and an applicable authentication method.
CloudGuard uses HTTPS connection to the Sonatype Nexus registry.
You must provide a Certificate Authority (CA) certificate to CloudGuard resources deployed on your Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster or AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. environment. For more details, see Configuring CA Certificate.
For authentication with the Sonatype Nexus Docker repositories, it is necessary to have a Sonatype user with Read permissions. CloudGuard discovers and scans all repositories to which this user has access.

Onboarding

To onboard a Sonatype Nexus Registry to CloudGuard:

STEP 1 - Registry Configurations

In the CloudGuard portal, navigate to Asset > Environments.
From the top menu, select Add > Container Registry and follow the setup steps.

Alternatively, in Kubernetes cluster scanning environment, open the hosting cluster page and click Scan Registry on the top menu.
In the Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry Onboarding wizard, enter the registry details:
1. Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard.
2. Environment Description - Optionally, enter a description.
3. Select an Organizational Unit.
4. Select the type of environment to host your scanner - Kubernetes or AWS ECS Scanner.
5. Select a Kubernetes cluster or an AWS environment on which you can run the registry scanner:
  - For Kubernetes, select from the list of clusters with enabled Image Assurance. For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.
  - For AWS ECS Scanner, select from the list of all AWS environments onboarded to CloudGuard.
6. Registry Type - Select Nexus.
7. Registry URI - Enter the FQDN of your Nexus server endpoint, without the protocol (https).
8. Authentication Method - Nexus Basic Authentication - For the Kubernetes scanner, enter the details below. For the AWS ECS scanner, only select the method and enter the details later in Step 3.
  
  Pull Secret Name - Enter the image pull secret name that you create on the hosting cluster with your credentials.
  
  Make sure that the <secret-name> is a valid Kubernetes name. For more details, see the Kubernetes Documentation.
  
  To create the secret, run:
  Copy
```
kubectl create secret docker-registry <secret-name> \
    --namespace <cloudguard-namespace> \
    --docker-server=<nexus_registry_URI> \
    --docker-username=<username> \
    --docker-password=<password>
```
Click Next to continue with Cluster Configurations.

For Onboarding with the Kubernetes Scanner

For Onboarding with the ECS Scanner

STEP 3 - AWS Configurations

Follow the on-screen instructions to use the provided CloudFormation Template and launch the CFT for the ECS scanner.

Select to use a new ECS cluster or an existing one.
Use the URL to review the CloudFormation Template.
Open the AWS Secrets Manager and click Secrets.
Click Store a new secret to create an image pull secret with:
- Secret type: Other type of secret
- Key: <registry_URI>
- Value: <NEXUS_USERNAME>: <NEXUS_PASSWORD>
Open the image pull secret and copy Secret ARN from Secret details. You need this ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. in step 6g.
In the CloudGuard wizard, click the link in step 4 to start the CloudFormation Stack Creation Process in your AWS account:
1. On the Stacks page, click Create stack.
2. In Step 1 Create stack, for Prepare template, select Choose an existing template.
3. For Template source, select Amazon S3 URL.
4. In the Amazon S3 URL field, paste the URL you copied in step 2 and click Next.
5. In Step 2 Specify stack details, enter a name for the stack.
6. In Parameters > CloudGuard, paste these details copied from step 5 of the CloudGuard wizard:
  - Environment ID
  - CloudGuard API Key ID
  - CloudGuard API Key Secret
7. In AWS, enter these details:
  - Subnet - Select a subnet.
  - Optional - Registry Secret ARN - Enter the ARN of the secret created in step 3.
  - Optional - Custom CA Certificates ARN - see Certificate for AWS ECS Scanner.
After the creation of the stack, click Finish.

CloudGuard opens the onboarded registry. For onboarding validation, see the Scanners tab that shows the status of the registry and its scanning environment (cluster or AWS ECS).

For registries with the Kubernetes scanner, the related Kubernetes cluster page shows information about the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.