Scanning registries

Scan your images for vulnerabilities before you deploy them to a cluster or access the risk of public images using registry scanning.

Kubescape scans up to 500 image tags for a single registry. The depth is calculated by the lexical order, and latest is always considered the latest if it exists.

Before you begin

• Install our helm chart in your cluster. Registry scanning uses the host scanner, which is installed with the in-cluster components.
• Set up Kubectl permissions so you can create configMaps and secrets in the kubescape namespace.

Supported registries

ARMO Platform explicitly supports the following registry providers:

• ECR
• GCR
• Harbor
• Quay

Registries that support the /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are also supported through the Generic option.

Add and scan a public registry

1. Navigate to Settings, and then click Registries.
   
2. Click Add Registry.
   
3. Select the Registry Provider, and then enter the registry URL.
4. Select the cluster that you want to use to scan the registry.
5. Select Public in the Registry Type, and then click Next.
   
6. Choose the protocol you want to use to communicate with the registry.
   
7. Click Test. ARMO Platform communicates with the registry to ensure all entries are correct.
8. When successful, click Continue to add and scan the registry.

The new registry is listed in the Registry Scanning section and displays any vulnerabilities found on the image.

Add and scan a private registry

1. Navigate to Settings, and then click Registries.
   
2. Click Add Registry.
   
3. Select the Registry Provider, and then enter the registry URL.
4. Select the cluster that has the sensor you want to use to scan the registry. If you keep your Kubescape components up to date, the sensors are the same across clusters.
5. Select Private in the Registry Type, and then click Next.
   
6. Choose the protocol you want to use to communicate with the registry.
7. Choose the authentication method you want to use to connect to the registry.
   
   If you want to use Cloud provider IAM, you must set up AWS or GCP IAM authorization. See below for more information.
8. Click Test. ARMO Platform communicates with the registry to ensure all entries are correct.
9. When successful, click Continue to add and scan the registry.

The new registry is listed in the Registry Scanning section and displays any vulnerabilities found on the image.

Walkthrough: How to grant permissions for my ECR/GCR Image registry?

Kubescape supports IPS authentication to enable cloud provider native authentication.

To setup cloud provider authentication use the following script examples: