Container Registry Scanning

With Image Assurance, CloudGuard can scan container images on these private registries:

Note - GAR repositories can store helm charts in image format together with the actual docker images. If your repositories include helm charts in addition to images, CloudGuard shows them with the Not an image scan status.

To onboard your container registry to CloudGuard, see Onboarding Container Registries. These are two options to scan your Container Registry in CloudGuard:

The Image Assurance agents deployed on a cluster scan new images as they appear, on this cluster and on a linked ACR, ECR, or GCR container registry.

Note - Registry scanning requires Image Assurance agent version 2.10.0 or higher included in the CloudGuard HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. chart version 2.11.1 or higher. See Upgrading the Agent for more information.

AWS ECS Image Assurance

To launch containers, Amazon ECS uses DockerClosed Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. images in task definitions. The Docker images are commonly hosted in AWS ECR registries.

CloudGuard provides scanning results for the AWS ECS Docker images based on the inventory information of the onboarded AWS environment and ECR scanning. Installation of CloudGuard agents in the AWS ECS clusters is not necessary.

Prerequisites

Before you start, make sure to:

  • Onboard the AWS environment to CloudGuard with the relevant ECS clusters

  • Configure the ECR Container Registry Scanning for the ECR registry, that is, onboard to CloudGuard the ECR registry that hosts the Docker images of AWS ECS containers. For more details, see Onboarding AWS Elastic Container Registry.

  • Enable the AWS ECS images scanning for the AWS environment with this API call: https://api.dome9.com/v2/ecs/configuration/{cloudAccountId}

Known Limitations

  • By default, CloudGuard adds to Protected Assets and scans only 10 recent images of each repository. You can change the default value with the API call (maximal number is 1000 for a JFrog Artifactory and Sonatype Nexus). For more information, see the API Reference Guide.

  • Scanning Windows container images is not supported.

  • For JFrog Artifactory, it can take about 20 minutes that the images start to show for the first time.

  • For JFrog Artifactory and Sonatype Nexus, the maximal number of tags per repository is 1000. Container images from the repositories with more than 1000 tags are neither shown as protected assets, nor scanned. The number is limited due to extensive API calls and performance considerations.

  • To receive scanning results, ECS images must be onboarded in the same CloudGuard account as the Private ECR that scans them.

  • CloudGuard creates ECS images only for running tasks.

Actions

To see the results of scanning, in CloudGuard, navigate to Workload Protection > Containers Assets > Images. For more details, see Images.

A container registry must have a Kubernetes cluster linked to it to scan the images.

  1. Navigate to Workload Protection > Container Assets > Environments and select your container registry.

  2. On the Scanners page, find the scanning environment (cluster).

  3. In the Actions column, click Unlink.

  4. In the confirmation message, click Save. CloudGuard informs you that the container registry is unlinked successfully.

The cluster stops to scan the registry, and the registry does not appear anymore in the cluster's list.

More Links