Docker image analysis

If the server on which Cyberwatch is installed has a kernel lower than 5.11, it is necessary to have a version of cbw-on-premise greater than or equal to version 5.25 in order to scan Docker images.

Configuring Docker registries

From Stored credentials, you may add credentials of type Docker registry. For testing purposes, the Docker Hub public registry should be configured by default.

If your registry uses a self-signed certificate, you will need to either disable certificate verification, or have it signed by a trusted Certificate Authority. Please note that the Docker engine will likely require a similar configuration, as described at https://docs.docker.com/registry/insecure/.

Private Amazon ECR registries require an access to the AWS API for authenticating. The procedure for creating an API key and adding it to Cyberwatch using stored credentials is the same as described for Amazon EC2 discoveries. The API key must allow creating temporary passwords for logging in to the registry. Then, to make the AWS key selector appear in the Docker registry addition form, the URL of the registry must end with .amazonaws.com.

Google Artifact Registry requires a service account JSON key for authentication. See https://cloud.google.com/artifact-registry/docs/docker/authentication?hl=en#json-key for details. You first need to register that key as a stored credential of type Google Cloud Platform. Then, when adding the Docker Registry stored credential, you will be able to select your key as soon as you enter a URL ending with -docker.pkg.dev.

Adding a Docker image

Docker images are managed from Assets management > Docker images.

To add a Docker image:

  1. Go to Docker images
  2. Click Add on the top right corner

  3. Fill in the form:

    • Image refers to the name of the Docker image in the “namespace/name” format. When using an official image from the Docker Hub registry, please explicitly specify the library namespace
    • Tag refers to the version of the image
    • Registry refers to the Docker registry to pull the image from
    • Source refers to the Cyberwatch node that should perform the scan
  4. Click Confirm

When adding an image, an analysis task is spawned in the background, leading on success to the creation of an asset in the Vulnerabilities inventory. The associated asset, or a potential error message, will be displayed on the image index at Docker images when the task completes.

Table of contents

Back to top