Install Registry Scanner

Integrate Sysdig Secure with your container registry to add a layer of defense between Pipeline and Runtime and to enhance defense depth. This page describes how to install and configure the registry scanner on various private registries. See Vulnerabilities | Registry to review the scan results in the UI.

Setup

Prerequisites

Helm v3.8 or above
A Kubernetes cluster managed with Helm
The registry scanner is installed on this cluster
A Sysdig Secure API token
Recommended: Set up a service account with minimal privileges, such as a Custom role
- The Custom role will require the Vulnerability Management permissions for Sysdig Secure:
  - Registry Scanner exec
  - Scan Results: read
Network access to the target registry for the installed components
Outbound network access to the Sysdig backend to store results
If you are behind a firewall, follow the outbound network rules for vulnerability scanning.
The Registry Scanner node must possess the capacity to execute a Docker pull from the node. Use the following command to confirm this:
```
 docker pull ${THE_REGISTRY}/${A_IMAGE}
```

Supported Vendors

AWS Elastic Container Registry (ECR) Single Registry, Organizational
AWS GovCloud Elastic Container Registry (ECR) Single Registry, Organizational
JFrog Artifactory
SaaS, OnPrem
Azure Container Registry (ACR)
Single Registry
IBM Container Registry (ICR)
Quay.io
SaaS
Harbor
Google Artifact Registry (GAR), Container Registry (GCR)
Single Registry
Nexus
OpenShift Container Platform Registry

Known Limitations

A new registry scanner must be installed per registry (except for AWS Organization).
Public registries are not supported.
Images that have been scanned and reported to Sysdig are rescanned only on the designated refresh cycle. Scans are refreshed on a scheduled Helm cron job, every Saturday at 6:00 AM by default. You can adjust the schedule.
Check vendor-specific limitations on the relevant subpage.
Registry Scanner does not support multi-architecture images.

Installation

Legacy scanning engine: If you still use the legacy scanning engine and want to keep running that version, pin the Helm chart version to 0.1.39. If you deploy a later version, the current vulnerability management engine will replace the legacy installation.

Overview

Install the Registry Scanner Helm Chart:

helm repo add sysdig https://charts.sysdig.com
helm repo update

Prepare the Helm chart for your specific registry vendor. Provide:
- <SYSDIG_SECURE_URL>: Region-dependent Sysdig Secure endpoint
- <SYSDIG_SECURE_API_TOKEN>: See Retrieve the Sysdig API Token
Launch Helm instructions and allow some time for the first scan.
Check results in the Sysdig Secure Vulnerabilities | Registry UI.

Upgrade

Perform regular helm chart upgrade procedure:

Upgrade the repository with helm repo update
Re-launch the helm upgrade --install with the values from the previous installation.

Next Steps

Review scan results in the Sysdig Secure UI.

Create scanning reports

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.