You can use webhooks to trigger a scan when images in your registry’s repositories are added or updated.
Twistlock supports webhooks for Docker Hub , Docker Registry, and Azure Registry.
Twistlock requires Docker Registry 2.4 or later. |
Google Container Registry and Amazon EC2 Container Registry do not currently support webhooks. |
For Docker Hub, you must have Automated Builds enabled for your repository. Docker Hub webhooks are called when an image is built or a new tag is added to your automated build repository.
For Docker Private Registry, webhooks are called when manifests are pushed or pulled, and layers are pushed or pulled. Twistlock scans images in response to layer push events.
For Azure Registry, you can configure webhooks for your container registry that generate events when certain actions are performed against it. See Azure’s documentation for more information.
The benefit of webhook-initiated scans is that they are triggered as soon as images change, but support is limited to Docker Hub, Docker Registry, and Azure Registy. Twistlock also supports scheduled registry scans, with support for almost all registry types, including Google Container Registry and Amazon EC2 Container Registry.
Webhooks call the Twistlock API on Console’s management ports over either HTTP or HTTPS.
Although it is convenient to test webhooks with HTTP, we strongly recommend that you set up webhooks to call Console over HTTPS. To call webhooks over HTTPS, you must install a certificate trusted by the registry. For more information about securing Console’s management port with a custom cert, see Custom certs for Console access.
By default, Twistlock uses self-signed certificates to secure HTTP traffic. Self-signed certificates are not supported (trusted) by Docker Hub, and Docker Registry would require you to configure Twistlock as a trusted CA (not supported, and not recommended). Instead install a certificate signed by a trusted certificate authority (CA), such as Comodo or Symantec. |
To set up webhook-initiated scans, configure your registry’s webhook with the URL provided in Console. The following procedure shows you how to set up webhooks in Docker Hub.
Docker Hub, with Automated Builds enabled.
Open Console.
Go to Defend > Vulnerabilities > Registry.
Scroll down to the section Registry webhooks, then enter the following information:
Set Allow image scans initiated by registry webhooks to On.
In order for this setting to be persisted, you must modify table under Registry Settings by adding, modifying, or deleting an entry, then clicking Save. |
In the drop down list, select the DNS name or IP address that Docker Hub can use to reach Console.
Your selection generates a URL that you will use to configure Docker Registry.
Copy the URL.
By default, the generated URL employs HTTP. For HTTPS, replace http:// with https://.
Configure Docker Hub.
Log into Docker Hub.
Select a repository, and then click Webhooks.
Create a new webhook. Specify a name, and paste the URL you copied from Console.
Click Save.
Test the integration by triggering a build.
Go to Monitor > Vulnerabilities > Registry to view the scan report. Twistlock scans the image as soon as it is built.