Integrate with Container Registries

Many image scanning pipelines use the container registry as a “passive” element; when you know which image you want to scan, you retrieve the target image from the registry. For this type of integration, you must provide the registry credentials in the Sysdig Secure interface. See Manage Registry Credentials, below.

Some registries can also trigger an event or action every time a new container is pushed into the registry. In this case, you integrate the registry notifications with Sysdig Secure image scanning so the registry can independently fire the scan. See Amazon ECR Integration.


Review the Types of Secure Integrations table for more context. The Container Registries column lists the various options and their levels of support.

Manage Registry Credentials

Registry credentials are required for Sysdig Secure to pull and analyze images. Each of the registry types has unique input fields for the credentials required (e.g., username/password for; JSON key for Google Container Registry).

The login requires at least read permissions.

Add a New Registry

  1. From the Image Scanning module, select Registry Credentials and click Add Registry.

    The New Registry page is displayed.

  2. Enter the Path to the registry (e.g. and select the registry Type from the drop-down menu.

  3. Configure the registry-specific credentials (based on the Type chosen):

    1. Docker V2 There are many Docker V2 registries, and the credential requirements may differ.

      For Azure Container Registry:

      1. Admin Account

        Username: in the 'az acr credentials show --name <registry name>' command result

        Password: The password or password2 value from the 'az acr credentials show' command result

      2. Service Principal

        Username: The service principal app id

        Password: The service principal password

    2. AWS ECR:

      1. AWS access key

      2. AWS secret key

    3. Google Container Registry:

      1. JSON Key

  4. (Primarily for OpenShift clusters): Add an internal registry address.

    The recommended way to run an image registry for an OpenShift cluster is to run it locally. The Sysdig agent will detect the internal registry names, but for the Anchore engine to pull and scan the image it needs access to the internal registry itself.


    External name:

    Internal name: docker-registry.default.svc:5000


    Sysdig maps the internal registry name to the external registry name, so the Runtime and Repository lists will show only the external names.

  5. Optional: Toggle the switch to Allow Self-Signed certificates.

    By default, the UI will only pull images from a TLS/SSL-enabled registry.

    Toggle Allow Self-Signed to instruct the UI not to validate the certificate (if the registry is protected with a self-signed certificate or a cert from an unknown certificate authority).

  6. Optional: Toggle the Test Credentials switch to validate your entries.

    When enabled, Sysdig will attempt to pull the image using the entered credentials. If it succeeds, the registry will be saved. If it fails, you will receive an error and can correct the credentials or image details.

    If enabled, then enter the test registry path in the format :



  7. Click Save.

Edit a Registry

  1. From the Image Scanning module, select Registry Credentials.

  2. Select an existing registry to open the Edit window.

  3. Update the parameters as necessary and click Save.


    The registry Type cannot be edited.

Delete a Registry

  1. From the Image Scanning module, select Registry Credentials.

  2. Select the existing registry to open the Edit window.

  3. Click Delete Registry and click Yes to confirm the change.

Next Steps

When at least one registry has been added successfully, it is possible to scan images and review scan results, taking advantage of the Default scanning policy provided.