Registry Scanning

Scanning images helps prevent CVEs from entering your cluster and hardens your environment. ARMO Platform can also scan your image registries for vulnerabilities so your images have a reduced risk profile when pulled into your environment.

Registry scanning is available in the Registry Scanning section.

Filter CVEs

You can filter CVEs by severity using the severity tiles at the top of the page. You can filter by severity by clicking on the tile. Click the tile again to remove the filter.

You can further filter CVEs by clicking +Add filter. Filters include fixable CVEs andseverity. You can also reorder the list of failed workloads by clicking the arrows in the table.

View failed images

Click an image to view the identified CVEs. By default, failed CVEs are ordered by severity. Click the name of the CVE for more information.

If a fix exists, the Fixable column has a Yes, and the Fix in version column has an entry. CVEs are frequently fixed when you upgrade the resource to a later version.

Accepting a Risk

Accepting a risk is not yet supported for registry scanning.

Tested on

Registry scanning was tested on the following registries:

Walkthrough: How to grant permissions for my ECR/GCR Image registry?

Registry scanning supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:

Known limitations

  • ARMO Platform's registry scanning will scan up to 500 image tags for a single registry.
  • The depth is calculated by lexical order (last X tags, with 'latest' always considered if it exists).
  • Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.