Install Registry Scanner
Setup
Prerequisites
Helm v3.8 or above
A Kubernetes cluster managed with Helm
The registry scanner is installed on this cluster
Recommended: Set up a service account with minimal privileges, such as a Custom role
- The Custom role will require the Vulnerability Management permissions for Sysdig Secure:
- Registry Scanner
exec
- Scan Results:
read
- Registry Scanner
- The Custom role will require the Vulnerability Management permissions for Sysdig Secure:
Network access to the target registry for the installed components
Outbound network access to the Sysdig backend to store results
If you are behind a firewall, follow the outbound network rules for vulnerability scanning.
The Registry Scanner node must possess the capacity to execute a Docker pull from the node. Use the following command to confirm this:
docker pull ${THE_REGISTRY}/${A_IMAGE}
Supported Vendors
- AWS Elastic Container Registry (ECR) Single Registry, Organizational
- AWS GovCloud Elastic Container Registry (ECR) Single Registry, Organizational
- JFrog Artifactory
SaaS, OnPrem - Azure Container Registry (ACR)
Single Registry - IBM Container Registry (ICR)
- Quay.io
SaaS - Harbor
- Google Artifact Registry (GAR), Container Registry (GCR)
Single Registry - Nexus
- OpenShift Container Platform Registry
Known Limitations
- A new registry scanner must be installed per registry (except for AWS Organization).
- Public registries are not supported.
- Images that have been scanned and reported to Sysdig are rescanned only on the designated refresh cycle. Scans are refreshed on a scheduled Helm cron job, every Saturday at 6:00 AM by default. You can adjust the schedule.
- Check vendor-specific limitations on the relevant subpage.
- Registry Scanner does not support multi-architecture images.
Installation
Legacy scanning engine: If you still use the legacy scanning engine and want to keep running that version, pin the Helm chart version to 0.1.39. If you deploy a later version, the current vulnerability management engine will replace the legacy installation.
Overview
Install the Registry Scanner Helm Chart:
helm repo add sysdig https://charts.sysdig.com helm repo update
Prepare the Helm chart for your specific registry vendor. Provide:
<SYSDIG_SECURE_URL>
: Region-dependent Sysdig Secure endpoint<SYSDIG_SECURE_API_TOKEN>
: See Retrieve the Sysdig API Token
Launch Helm instructions and allow some time for the first scan.
Check results in the Sysdig Secure Vulnerabilities | Registry UI.
Upgrade
Perform regular helm chart upgrade procedure:
- Upgrade the repository with
helm repo update
- Re-launch the
helm upgrade --install
with the values from the previous installation.
Next Steps
Review scan results in the Sysdig Secure UI.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.