Registry Scanning
Setup
Prerequisites
Helm v3.8 or above
A Kubernetes cluster managed with Helm
The registry scanner is installed on this cluster
Recommended: Set up a service account with minimal privileges, such as a Custom role
- The Custom role will require:
- Vulnerability Management permissions for Sysdig Secure:
- Registry Scanner:
exec
- Scan Results:
read
- Registry Scanner:
- Scanning Legacy permissions:
- Scanning Image Results:
create
- Scanning Image Results:
- Vulnerability Management permissions for Sysdig Secure:
- The Custom role will require:
Network access to the target registry for the installed components
Outbound network access to the Sysdig backend to store results
If you are behind a firewall, follow the outbound network rules for vulnerability scanning.
Supported Registries
- AWS Elastic Container Registry (ECR) Single Registry, Organizational
- AWS GovCloud Elastic Container Registry (ECR) Single Registry, Organizational
- JFrog Artifactory
SaaS, OnPrem - Azure Container Registry (ACR)
Single Registry - IBM Container Registry (ICR)
- Quay.io
SaaS - Harbor
- Google Artifact Registry (GAR), Container Registry (GCR)
Single Registry - Nexus
- OpenShift Container Platform Registry
Known Limitations
- A new registry scanner must be installed per registry (except for AWS Organization).
- Public registries are not supported.
- Images that have been scanned and reported to Sysdig are rescanned only on the designated refresh cycle. Scans are refreshed on a scheduled Helm cron job, every Saturday at 6:00 AM by default. You can adjust the schedule.
- Check vendor-specific limitations on the relevant subpage.
- Registry Scanner does not support multi-architecture images.
Installation
Legacy scanning engine: If you still use the legacy scanning engine and want to keep running that version, pin the Helm chart version to 0.1.39. If you deploy a later version, the current vulnerability management engine will replace the legacy installation.
Overview
Install the Registry Scanner Helm Chart:
$$helm repo add sysdig https://charts.sysdig.com helm repo update$$Prepare the Helm chart for your specific registry vendor. Provide:
<SYSDIG_SECURE_URL>
: Region-dependent Sysdig Secure endpoint<SYSDIG_SECURE_API_TOKEN>
: See Retrieve the Sysdig API Token
Launch Helm instructions and allow some time for the first scan.
Check results in the Sysdig Secure Vulnerabilities | Registry UI.
Upgrade
Perform regular helm chart upgrade procedure:
- Upgrade the repository with
helm repo update
- Re-launch the
helm upgrade --install
with the values from the previous installation.