TABLE OF CONTENTS
- Add an image Registry to Aqua
- Registry specific configuration
Aqua can scan images from several types of external image registries. The registries and specific repositories within them must be integrated with Aqua to enable image scanning. Once a specific image registry is integrated with Aqua, you can configure to scan images from registries directly or Aqua users can add images to the Aqua platform manually. This topic explains how to add image registries to Aqua.
Add an image Registry to Aqua
To add an image registry to Aqua:
- Navigate to Administration > Integrations > Image Registries.
- Click Add Registry. Create New Registry page appears which has two tabs, Registry Details and Registry configuration as explained in the following sections.
In this tab, perform the following actions:
1. Enter the following details:
- * Registry Name
- Description: (Optional)
- * Registry Type: Select a Registry type from dropdown.
Note: * indicates entering value in the specific field is mandatory.
2. Enter additional required details, as determined by the registry type. Refer the following table for more information on these details.
|Amazon Elastic Container Registry (ECR)||The default connection type is Credentials in which following credentials are used for integration:|
For more information on adding this registry and other connection types, Access Delegation and STS Token Authorization, refer to Configure Amazon Elastic Container Registry (ECR).
|Azure Container Registry||Registry URL, Username, Password (three are mandatory fields).|
|CoreOS Quay||Registry URL, Username, Password (three are mandatory fields).|
Registry URL requirements:
|Docker Hub||Username, Password (two are mandatory fields)|
|Docker Registry (v1/v2)|
|Docker Trusted Registry||Registry URL, Username, Password(three are mandatory fields).|
prefer DTR API: Select this checkbox to prefer searching repositories with the DTR API. On failover of DTR API, switch the searching repositories with standard Docker V2 API.
|Google Container Registry (GCR) and Google Artifact Registry||Following are the credentials required for this connection:|
For more information on the authentication mechanisms in GAR and GCR, refer to Authentication Mechanisms for Google GAR and GCR Integration.
|Harbor Registry||Registry URL, Username, Password (three are mandatory fields)|
|JFrog Artifactory||Registry URL, Username, Password (three are mandatory fields)|
For more information on the JFrog Artifaction webhook plug, refer to Usage of JFrog Artifactory Webhook Plugin.
|OpenShift Container Registry||* Registry URL|
Note: To access this registry, the following permissions are required for the service account that Aqua uses:
|Red Hat Atomic Registry|
|Sonatype Nexus Repository OSS||Registry URL, Username, Password(three are mandatory fields).|
For more information on the configurations in Sonatype Nexus registry, refer to Configurations in Sonatype Nexus Repository OSS for Integration.
3. Select the scanner connection option, either Any Scanner or Specific Scanner. If you select Specific Scanner option, a dropdown field Scanner appears as explained in the next step.
4. Scanner: From the dropdown, select a specific scanner which was deployed as daemon scanner. For more information, refer to Add Scanner Daemons.
Limitations: Docker Registry (v1 API) and Red Hat Atomic Registry do not support the following: - Automatically Register New Images under Administration > Integrations > Add Registry > Advanced Settings. For more information, refer to the following section. - Registry Search for repositories under Images > Add Images; For more information, refer to Add images from the Images screen
|Enable Registry Notification Events||Azure Container Registry, CoreOS Quay, Docker Hub, Docker Registry (v1/v2), Harbor Registry|
|Webhook URL||sub-option of "Enable Registry Notification Events"||Aqua URL for Webhook notifications: copy this URL to the registry events configuration|
|Webhook Authorization Header||sub-option of "Enable Registry Notification Events"||Copy this value to your registry events configuration.|
|Integrate with Azure's ACR Quarantine API||Azure Container Registry||When you select this checkbox, the Aqua Server will trigger an API call to ACR to remove the ACR quarantine state from an image after a successful scan.|
|Enable Image Stream Notification Events||OpenShift Container Registry||When you select this checkbox, Aqua will automatically scan images pushed to OpenShift's internal Docker registry or to an OpenShift image stream.|
Pull and scan images
There are two options to pull and scan images either manually or automatically:
- Manual: Aqua will not automatically pull images from the registry for scanning.
- Automatic: Aqua will automatically pull images from the registry for scanning on a daily basis.
Automatic pull and scan overrides image repository cleanup If you enable Automatic, the Remove the oldest images in each repository setting under Settings > Cleanup will be ignored for this registry.
There are a couple of options associated with the pull and scan images as explained below:
|Schedule every day at...||Set this to the daily time at which Aqua should search the registry for new images to pull and scan. The time is that of the host on which the Aqua server is deployed.|
|Rescan existing images||When you select this checkbox, existing images from the registry will also be rescanned whenever new images are pulled for scanning.|
Settings in this section appear when you select Automatic pull and scan images option. Following are the two options in the advanced settings.
|Name/tag criteria||You can limit the selection of images to pull and scan by specifying one or more patterns for the image name and/or tag. You can add multiple patterns one at a time and click Add.|
You can delete a pattern by clicking x in its box.
|Image creation date||If you select this checkbox, Aqua will pull images that were created in the last [set by user] days, months, or years. The default setting is 60 days.|
There are two options in this section as explained below:
|Never pull images with name/tag pattern|
|Always pull images with name/tag pattern||You can specify image patterns for the image name and/or tag that only should be pulled and scanned . You can add multiple patterns one at a time and click Add.|
Before completing the image registry integration, it is recommended that you test the connection. You can click Test Connection so that the Aqua server attempts to connect to the registry and validate your credentials (username and password), and pull an image. With all types of image registries except for Docker Registry (v1 API) and Red Hat Atomic Registry, you can test the connection without specifying the image to be pulled. Aqua then searches the registry, and pull an image selected at random.
Once the connection is tested, you can see the results as shown below:
Once all the required configurations are completed, click Save at the top right of the page.
Registry specific configuration
Configurations explained in this topic are general and applicable to most of the image registry integrations with Aqua. For more information on the registry specific configurations, refer to the relevant documentation.