Registry
Registries are a fundamental stage in the lifecycle of container images. Container registries accumulate a large number of images, some of which are obsolete or no longer suitable for runtime, and registry scanning provides the necessary security to avoid degradation of the posture.
See the Sysdig Vulnerability Management cycle for the benefits of scanning in pipeline, registry, and runtime phases.
The Registry page allows you to:
- Search and view the list of integrated registries and repositories.
- Determine the overall vulnerability score and exploits.
- Drill down the images to view the security posture of associated packages and versions.
Prerequisites
- To use Registry Scanning, install the Registry Scanner and configure it on your private registries. See Install Registry Scanning.
On-Prem Deployments
Network and port requirements: Ensure port 443* is open for outbound traffic, allowing Sysdig to download the latest external vulnerability feeds.
See On-Prem Network and Port for more information.
IP requirements: For Sysdig to scan private repositories, your firewall must allow inbound requests from the Sysdig IP addresses.
View Registry Scan Results
On the Registry page, you can search images and tags and assess the security posture of your images.
The Registry page displays scanning results from:
- The registry scans that leverage the registry scanner. By default, these scans are scheduled weekly; you can also trigger manual registry scans.
- Instant image scanning using the Scan Now feature. This does not require deploying CLI tools into your environment.
To view scan results:
Ensure that the registry scanner is installed and at least one scheduled scan job is completed, or have one manual scan using Scan Now completed.
Log in to Sysdig Secure and open Vulnerabilities | Findings > Registry. You can:
- Browse or search registries or repositories.
- Search by image or tag.
- Review detected vulnerabilities by severity and exploit status.
Select an image to access the tabs in the detail panel: Overview, Vulnerabilities, and Content.
Tabs | Preview |
---|---|
Overview: View packages and filter packages that are fixable. Click the individual cells to view the Vulnerabilities list. | |
Recommendations: View the recommendations to improve security posture of your image. | |
Vulnerabilities: Use the expanded filters and clickable list of CVEs to view complete CVE details, including source data and fix information. The same security finding, such as a particular vulnerability, can be present in more than one rule violation table if it violates several rules. You can filter the result of vulnerabilities with Critical Severity, Has Fix, Accepted Risk, and Exploitable. | |
Package: You can view data organized by package view, with expanded filters and clickable CVE cells. Use the Package tab to view cases, such as the software packages that are most dangerous. |
Instant Image Scanning with Scan Now
You can instantly scan images in your registries and view results without deploying any CLI-based components. To do so:
- Integrate with a private container registry.
- Use the Scan Now button to initiate platform-based image scanning.
Add a Container Registry
You can integrate private container registries and retrieve target images for scanning by configuring necessary registry credentials. Each of the registry types has unique input fields for the credentials required. For example, username/password for Docker Registry and JSON key for Google Container Registry.
Log in to Sysdig Secure and select Vulnerabilities > Registry under Findings.
Select Scan Now > Registry Credentials.
Click Add Registry and enter:
Registry Name: A unique name to identify the registry.
Path: The path to the container registry, such as Docker Hub. The format is
<hostname>:<port>
or<hostname>:<port>/<path>
. For example,us-west1-docker.pkg.dev/my-registry/example-repo
If you are providing repository-specific credentials, provide the path to the repository.
A registry might contain multiple namespaces in certain scenarios, each with distinct permissions. To encompass all the credentials under a single set, you can employ a partial path.
Any image located within the partial path inside the registry will use the configured registry credentials.
Type: Select the type of Registry you are adding. Depending on your selection, additional parameters will appear, such as the Access Key and Secret Key for AWS ECR.
Skip TLS Validation: Toggle to disable secure validation.
Click Add Registry Credential.
Scan Now
Select Vulnerabilities > Scan Now.
The Scan Image screen appears.
Enter your image reference to scan it directly from the registry.
Click Scan Image.
You will encounter an error if you have not integrated the registry from which you are pulling the image.
To see the status of the scanning, select Scan Now > Queue.
Click on the row corresponding to an image to view the scan results.
Next Steps
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.