Install Registry Scanner

Integrate Sysdig Secure with your container registry to add a layer of defense between Pipeline and Runtime and to enhance defense depth. This page describes how to install and configure the registry scanner on various private registries. See Vulnerabilities | Registry to review the scan results in the UI.

Setup

Prerequisites

  • Helm v3.8 or above

  • A Kubernetes cluster managed with Helm

    The registry scanner is installed on this cluster

  • A Sysdig Secure API token

  • Recommended: Set up a service account with minimal privileges, such as a Custom role

    • The Custom role will require the Vulnerability Management permissions for Sysdig Secure:
      • Registry Scanner exec
      • Scan Results: read
  • Network access to the target registry for the installed components

  • Outbound network access to the Sysdig backend to store results

    If you are behind a firewall, follow the outbound network rules for vulnerability scanning.

  • The Registry Scanner node must possess the capacity to execute a Docker pull from the node. Use the following command to confirm this:

     docker pull ${THE_REGISTRY}/${A_IMAGE}
    

Supported Vendors

Known Limitations

  • A new registry scanner must be installed per registry (except for AWS Organization).
  • Public registries are not supported.
  • Images that have been scanned and reported to Sysdig are rescanned only on the designated refresh cycle. Scans are refreshed on a scheduled Helm cron job, every Saturday at 6:00 AM by default. You can adjust the schedule.
  • Check vendor-specific limitations on the relevant subpage.
  • Registry Scanner does not support multi-architecture images.

Installation

Legacy scanning engine: If you still use the legacy scanning engine and want to keep running that version, pin the Helm chart version to 0.1.39. If you deploy a later version, the current vulnerability management engine will replace the legacy installation.

Overview

  1. Install the Registry Scanner Helm Chart:

    helm repo add sysdig https://charts.sysdig.com
    helm repo update
    
  2. Prepare the Helm chart for your specific registry vendor. Provide:

  3. Launch Helm instructions and allow some time for the first scan.

  4. Check results in the Sysdig Secure Vulnerabilities | Registry UI.

Upgrade

Perform regular helm chart upgrade procedure:

  1. Upgrade the repository with helm repo update
  2. Re-launch the helm upgrade --install with the values from the previous installation.

Next Steps

Review scan results in the Sysdig Secure UI.

Create scanning reports