Scanning container images from private registries using Deepfactor CLI

Deepfactor static scan utility provides the capability of scanning images in private registries. In order to scan images from private registries, Deepfactor scanner needs to authenticate with the registry. You can provide registry credentials using environment variables to the Deepfactor scanner. The following section will describe the environment variables that need to be set for different types of private registries.

Private registries with basic authentication support (Ex. Docker Hub registry) #

If you are trying to scan container images hosted in private registries that support basic authentication, please set the following environment variables on the terminal before initiating the scan using the dfctl scan command

• REGISTRY_USERNAME
• REGISTRY_PASSWORD

Usage:

export REGISTRY_USERNAME=DOCKER_REGISTRY_USERNAME
export REGISTRY_PASSWORD=DOCKER_REGISTRY_PASSWORD

Amazon Elastic Container Registry (Amazon ECR) #

Deepfactor scanner uses AWS SDK internally and you don’t need to install aws CLI tool. If you are trying to scan container images hosted in Amazon Elastic Container Registry (Amazon ECR), then you will need to export the following environment variables before initiating the scan.

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_DEFAULT_REGION

Please refer to the following AWS article for more details

Environment variables to configure the AWS CLI

Note: Please ensure you unset REGISTRY_USERNAME environment variable before starting the scan.

unset REGISTRY_USERNAME

Google Container Registry (GCR) #

Deepfactor scanner uses Google Cloud SDK and you don’t need to install gcloud command. In order to authenticate with GCR, you will need to provide a credential file which must have the roles/storage.objectViewer permission.

Please refer to the following Google cloud document for more details

Access control with IAM

Please set the path of the credentials file in the following environment variable.

• GOOGLE_APPLICATION_CREDENTIALS

Usage:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json

Note: Please ensure you unset REGISTRY_USERNAME environment variable before starting the scan.

unset REGISTRY_USERNAME

Azure Container Registry (ACR) #

Deepfactor scanner uses Azure SDK internally and you don’t need to install az command. Please ensure the service principal exported has the AcrPull permission. You will need to set the following environment variables before initiating the scan

• AZURE_CLIENT_ID
• AZURE_CLIENT_SECRET
• AZURE_TENANT_ID

Example Usage:
Create the service principal

export SP_DATA=$(az ad sp create-for-rbac --name DFScan --role AcrPull --scope "/subscriptions//resourceGroups//providers/Microsoft.ContainerRegistry/registries/")

Set client id, secret and tenant environment variables

export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)

Run the scan using dfctl

dfctl scan IMAGE_NAME

Note: Please ensure you unset REGISTRY_USERNAME environment variable before starting the scan.

unset REGISTRY_USERNAME