Docker Swarm

Docker Swarm discoveries let you list the images available locally on a Docker execution engine. They apply to Docker Swarm deployments but are not limited to them: any Docker daemon will be compatible.

Only tagged Docker images will be listed, which excludes intermediate images, or images pulled with an explicit ID.

Configuring the Docker engine

To allow scanning from Cyberwatch, the Docker daemon to scan must accept external connections. For security reasons, it is essential to authenticate incoming connections through TLS, as described in the official Docker documentation: https://docs.docker.com/engine/security/https/.

Cyberwatch provides documentation and scripts to generate the required certificates to configure TLS for your Docker engine: https://github.com/Cyberwatch/docker-scanner.

Please follow the given documentation on GitHub to configure your Docker engine.

The Cyberwatch support team may also assist you in this configuration if needed.

Once the Docker engine is ready with TLS, you should have the following elements:

  • The certificate of your Certificate Authority
  • The client certificate signed by your Certificate Authority
  • The private key associated to your client certificate

Finally, go to Stored credentials, from which you may add credentials of type Docker engine. The expected URL looks like tcp://…:2376, and the expected certificates are the ones described above.

Add the discovered Docker images

From the discovery assets list, you may see and filter the Docker images without any associated assets. To add them to Cyberwatch, pick the images you wish to scan and click Bulk actions > Scan as Docker images.

Newly discovered Docker images can be automatically added to Cyberwatch by enabling automatic registration from the discovery edition form.

The registry is automatically selected based on the name of the discovered image. For instance, the image example.com/library/hello would automatically use the registry example.com, provided it has been added as a stored credential. New registries are automatically added as stored credentials, and you can manually edit them if they require authentication. You may in certain contexts select a preferred registry, but it will only be selected when the registry in the name of the discovered image matches the entry point of the registry.

Back to top