Registry Scanning
Scanning images helps prevent CVEs from entering your cluster and hardens your environment. ARMO Platform can also scan your image registries for vulnerabilities so your images have a reduced risk profile when pulled into your environment.
Registry scanning is available in the Registry Scanning section.
Filter CVEs
You can filter CVEs by severity using the severity tiles at the top of the page. You can filter by severity by clicking on the tile. Click the tile again to remove the filter.
You can further filter CVEs by clicking +Add filter. Filters include fixable CVEs andseverity. You can also reorder the list of failed workloads by clicking the arrows in the table.
View failed images
Click an image to view the identified CVEs. By default, failed CVEs are ordered by severity. Click the name of the CVE for more information.
If a fix exists, the Fixable column has a Yes, and the Fix in version column has an entry. CVEs are frequently fixed when you upgrade the resource to a later version.
Accepting a Risk
Accepting a risk is not yet supported for registry scanning.
Tested on
Registry scanning was tested on the following registries:
- Harbor
- Private GCR
- ECR
- Official docker registry image
- Public quay.io registries
- Private quay.io registries owned by the user who owned the username/password of the access token auth_method
Walkthrough: How to grant permissions for my ECR/GCR Image registry?
Registry scanning supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:
Known limitations
- ARMO Platform's registry scanning will scan up to 500 image tags for a single registry.
- The depth is calculated by lexical order (last X tags, with 'latest' always considered if it exists).
- Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.
Updated 5 months ago