Specify the type of registry to scan. If you do not find your vendor’s registry in the drop-down list, try Docker Registry v2. Most vendors comply with the Docker Registry version 2 API.
For Harbor specify the Docker Registry v2.
Twistlock can scan container images in both public and private repositories on both public and private registries.
The registry is a system for storing and distributing Docker images. The most well-known public registry is Docker Hub, although there are also registries from Amazon, Google, and others. Organizations can also set up their own internal private registries. Twistlock can scan container images on all of these types of registries.
Registry scanning is handled by Defender. When you configure Twistlock to scan a registry, you can either:
Direct Twistlock to automatically distribute the scan job across a pool of available Defenders, or
Explicitly specify the Defender to do the job.
Any Defender is capable of scanning a registry, and any number of Defenders can simultaneously operate as a registry scanner. This gives you a lot of options when you’re trying to figure out how to cover disparate environments.
In general, you should configure Twistlock to automatically distribute scan jobs because it reduces operational complexity and improves resiliency. At scan-time, Twistlock enumerates the available Defenders, manages the resource pool, and handles issues such as restarting partially completed jobs. If you explicitly select a specific Defender to handle scanning, the host where Defender runs is a single point of failure. If the host fails, or gets destroyed, you have to manually reconfigure your scan configuration to select a different Defender.
When selecting the automatic algorithm for registry scanning, you can specify the number of Defenders in the resource pool. For large registries or aggressive scan intervals, increase the number of Defenders to increase throughtput and reduce scan time.
Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and Linux Defenders can only scan Linux images.
If you remove an image from the registry, or the registry becomes unavailable, Twistlock maintains the scan results for 30 days. After 30 days, the scan results are purged.
To scan images in a registry, create a new registry scan rule.
Open Console.
Go to Defend > Vulnerabilities > Registry.
Click Add registry settings.
Each rule has the following parameters, although the parameters can vary according to registry type. For step-by-step instructions for a registry from a specific vendor, see the appropriate registry-specific guide.
Field | Description |
---|---|
Version |
Specify the type of registry to scan. If you do not find your vendor’s registry in the drop-down list, try Docker Registry v2. Most vendors comply with the Docker Registry version 2 API. For Harbor specify the Docker Registry v2. |
Registry |
Specify the URL for the registry. For Docker Hub, leave this field blank. For Harbor specify the FQDN of your Harbor registry. |
Repository name |
Specify the repository to scan.
This field supports pattern matching.
To scan all repositories, simply enter wildcard ( Docker Hub: To specify an official Docker repository, enter library/, followed by the short string used to designate the repo. For example, to scan the images in the official Alpine Linux repository, enter library/alpine. To specify non-official repositories, enter the user name or organization name, followed by a slash, followed by the name of the repo. For example, to specify the alpine repository in onescience’s account, enter onescience/alpine. To scan all repos from a user or organization, simply enter the user or organization name, followed by a wildcard ( Amazon EC2 Container Registry: Enter the repositoryName. Google Cloud Platform Container Registry: Enter your project ID and image name in the following format: project-id/image-name. Or, leave this field blank to sync all the repos in your GCR account with Twistlock automatically. Harbor:
To specify a repository, enter the name of the repository, followed by a wildcard ( Any Docker Registry version 2 API compliant registry: To scan all images in all repositories in the registry, leave this field blank. Twistlock automatically stays synchronized with the registry. When repos are added, images are automatically scanned for vulnerabilities. If there is no activity in the registry, periodic scans are run at interval specified in Configure > SYSTEM > SCAN (by default, once every 24 hours). Docker Hub, Docker Registry, Amazon Container Registry, Google Container Registry, and Alibaba Container Registry all support the Docker Registry version 2 API. |
Tag |
Specify an image tag. Leave this field blank to scan all tags (limited by the value in Cap). |
Credentials |
Specify the credentials required to access the registry. If the credentials have already been created in the Twistlock credential store, select it. If not, click Add New. Public repositories on public registries (such as Docker Hub): Leave this field blank. No credentials are required. AWS EC2 Container Registry: Use the IAM access keys for authentication. For more information, see Scan images on Amazon EC2 Container Registry (ECR). Google Container Registry: Use the service account and JSON token. For more information, see Scan images on Google Container Registry. Harbor Registry: Create a Basic authentication credential. Credential has to be an Administrator, being just a Project Admin does not work. Registries that support token authentication (e.g. Quary, GitLab): Create a Basic authentication credential. Username is the name of the token and the token value is entered into the password field. |
OS Type |
Specify whether the image is built on a Windows or Linux base OS. |
Scanner |
Specify the Defender to scan this registry.
Only Linux Defenders can scan Linux container images, and only Windows Defenders can scan Windows container images. |
Number of scanners |
Number of Defenders across which the scan job can be distributed. Increase the number of Defenders to increase throughtput and reduce scan time. |
Cap |
Specify the maximum number of images to scan in the given repository, sorted according to last modified date. That is, the most recently modified image in the repository is scanned first, followed by the image next most recently modified, and so on. The Docker Registry API does not support directly querying for the most recently updated images. To handle your CAP setting, Twistlock first polls the registry for all tags and manifests in the given repository to discover the last updated dates. This is a low overhead operation because images do not need to be downloaded. Twistlock then sorts the results by date, and then scans the most recently updated images up to the limit specified by CAP. Even when CAP is set to a low number, you might still notice the Twistlock UI polling the registry for data about the images in the repository. To scan all images in a repository, set CAP to 0. |
Additional scan settings can be found under Manage > System > Scan, where you can set the registry scan interval.
The Manage > System > Scan page has an option called Only scan images with running containers. This option does NOT apply to registry scanning; all images targeted by your registry scanning rule will be scanned regardless of how Only scan images with running containers is set. |
For registry scanning in CRI/containerd-only environments: You must install a Linux Container Defender on a separate host. With the current CRI design, Twistlock CRI Defenders can only scan running containers, but not images from a registry. In Docker environments, Twistlock scans an image by creating a scanning container, which is a running instance of the image to be scanned. In a CRI environment, the kubelet syncs the pods that exist on the localhost with those that exist on the api-server, deleting anything else, including Twistlock’s scanning container pods. For this reason, Twistlock doesn’t support registry scanning with CRI Defenders.