Registry

To manage vulnerabilities in your system effectively, integrate Sysdig Secure with your container registry. This integration adds a layer of defense between your pipeline and runtime environment, enhancing defense depth. On the Sysdig Secure Registry page, you can scan repositories manually, add registries, and review scan results from both the registry scanner and the Scan Now instant image scanning to assess your image security posture.

Registries are a fundamental stage in the lifecycle of container images. Container registries accumulate a large number of images, some of which are obsolete or no longer suitable for runtime, and registry scanning provides the necessary security to avoid degradation of the posture.

See the Sysdig Vulnerability Management cycle for the benefits of scanning in pipeline, registry, and runtime phases.

The Registry page allows you to:

Search for and drill down to registries and repositories
Search and view the list of integrated registries and repositories
Search images and image tags
Determine the overall vulnerability score and exploits
Drill down the images to view the security posture of associated packages and versions.
Scan images manually
Add Registries

Registry Scanning Results

The Registry page displays scanning results from:

The registry scans that leverage the registry scanner. By default, these scans are scheduled weekly; you can also trigger manual registry scans.
Instant image scanning using the Scan Now feature. This does not require deploying CLI tools into your environment.

Prerequisites

General

Registry Scanning: Requires installing the Registry Scanner and configuring it on the desired private registries.
See Install Container Registry Scanning.
Instant Image Scanning: Requires integrating registries.
See Integrate with Container Registries, below.

On-Prem Deployments

Network and port requirements: Ensure port 443* is open for outbound traffic, allowing Sysdig to download the latest external vulnerability feeds.
See On-Prem Network and Port for more information.
IP requirements: For Sysdig to scan private repositories, your firewall must allow inbound requests from the Sysdig IP addresses.

View Scan Results

On the Registry page, you can search images and tags and assess the security posture of your images.

To view scan results:

Ensure that the registry scanner is installed and at least one scheduled scan job is completed, or have one manual scan using Scan Now completed.
Log in to Sysdig Secure and open Vulnerabilities > Registry. You can:
- Browse or search registries or repositories.
- Search by image or tag.
- Review detected vulnerabilities by severity and exploit status.
Select an image to access the tabs in the detail panel: Overview, Vulnerabilities, and Content.

Tabs	Preview
Overview: View packages and filter package that are fixable. Click the individual cells to view the Vulnerabilities list.
Vulnerabilities: Use the expanded filters and clickable list of CVEs to view complete CVE details, including source data and fix information. The same security finding, such as a particular vulnerability, can be present in more than one rule violation table if it violates several rules. The example image shows the filtered result of vulnerabilties with Critical Severity, Has Fix, and Exploitable.
Content: You can view data organized by package view, with expanded filters and clickable CVE cells. Use the Content tab to view cases, such as the software packages that are most dangerous.

Instant Image Scanning with Scan Now

You can instantly scan images in your registries and view results without deploying any CLI-based components. To do so:

Integrate with a private container registry.
Use the Scan Now button to initiate platform-based image scanning.

Add a Container Registry

You can integrate private container registries and retrieve target images for scanning by configuring necessary registry credentials. Each of the registry types has unique input fields for the credentials required. For example, username/password for Docker Registry and JSON key for Google Container Registry.

Log in to Sysdig Secure and select Vulnerabilities > Registry.
Select Scan Now > Registry Credentials.
Click Add Registry and enter:
- Registry Name: A unique name to identify the registry.
- Path: The path to the container registry, such as Docker Hub. The format is <hostname>:<port> or <hostname>:<port>/<path>. For example, us-west1-docker.pkg.dev/my-registry/example-repo
  If you are providing repository-specific credentials, provide the path to the repository.
  A registry might contain multiple namespaces in certain scenarios, each with distinct permissions. To encompass all the credentials under a single set, you can employ a partial path.
  Any image located within the partial path inside the registry will use the configured registry credentials.
- Type: Select the type of Registry you are adding. Depending on your selection, additional parameters will appear, such as the Access Key and Secret Key for AWS ECR.
- Skip TLS Validation: Toggle to disable secure validation.
Click Add Registry Credential.

Scan Now

Select Vulnerabilities > Scan Now.
The Scan Image screen appears.
Enter your image reference to scan it directly from the registry.
Click Scan Image.
You will encounter an error if you have not integrated the registry from which you are pulling the image.
To see the status of the scanning, select Scan Now > Queue.
Click on the row corresponding to an image to view the scan results.

Next Steps

Generate a registry report

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.