Chart: Registry Scanner

Overview

Sysdig Registry Scanner scans your images registry on a Kubernetes cluster . This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster and allows you to integrate Sysdig Secure with different image registries.

Registry scanning provides an extra layer of defense between pipeline and runtime by checking:

Newly discovered vulnerabilities in the software before being deployed.
Third-party software that might have been installed without going through pipeline scanning.

Follow the instructions in Install Registry Scanner to deploy the Helm chart. They include specific use cases for:

JFrog Artifactory
AWS ECR
Harbor
Quay IO
IBM ICR
Azure ACR
Google GAR
Google GCR
OpenShift Internal Registry

Once installed, you can view the scan results in the Vulnerabilities UI of Sysdig Secure.

Prerequisites

Helm 3.6
Kubernetes v1.16+
Unique name to identify your Kubernetes cluster
Sysdig Secure API Token

Configuration Parameters

The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:

Parameter	Description	Default
cronjob.schedule	The cronjob expression for registry scan scheduling. See https://crontab.guru/ for help.	`"0 6 * * 6"`
cronjob.failedJobsHistoryLimit	The number of failed job history to keep on the cluster.	`5`
cronjob.successfulJobsHistoryLimit	The number of successful job history to keep on the cluster.	`2`
cronjob.restartPolicy	The restart policy for a failed registry scan execution.	`Never`
cronjob.timeZone	Timezone settings for the cronjob. Value default will be null to guarantee we only set the timezone if the user provides it.	`""`
reportToPersistentVolumeClaim	Specify a volume claim to write the final JSON report there instead of standard output.	`""`
config.logging	The log level. Use one of the following: trace, debug, info, error.	`"info"`
config.registryURL	The URL of the registry to scan.	`""`
config.registryApiUrl	The API URL of the registry to scan. This is required if your registry type is Artifactory.	`""`
config.registryUser	The username for registry authentication.	`""`
config.registryPassword	The password for registry authentication.	`""`
config.registryType	required The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus, ocp and dockerv2.	`""`
config.registryAccountId	The account ID. Applicable only for ICR registry type.	`""`
config.icrIamApi	The ICR IAM API. Applicable only for ICR registry type.	`""`
config.icrIamApiSkipTLS	Ignore TLS certificate for IAM API. Applicable only for ICR registry type.	`false`
config.aws.accessKeyId	The AWS credentials: `AccessKeyId`.	`""`
config.aws.secretAccessKey	The AWS credentials: `SecretAccessKey`.	`""`
config.aws.region	For single account. It is the region where the registry is located.	`"us-east-1"`
config.aws.managementAccountRoleARN	The management role ARN to be used to impersonate the member accounts.
config.aws.memberAccountsRoleName	The member account role name (available in all member accounts) to dig into their registries.	`"OrganizationAccountAccessRole"`
config.aws.allowListMemberAccountIDs	The organization account IDs in which the registry scan is performed. If not configured, the scan will be performed in all the member accounts of the organization.	`[]`
config.aws.allowListRegions	For organizational accounts. It is the AWS regions where the registries are located. If not configured, the scan will be performed in all available regions.	`[]`
config.registrySkipTLS	Ignore registry TLS certificate errors (self-signed, etc.).	`false`
config.registryMaxRetries	Max number of retries to call the registtry APIs in case of failure or 409.	`10`
config.registryMaxRetryWait	Max wait time between retries.	`10m`
config.registryMinRetryWait	Min wait time between retries.	`5s`
config.secureBaseURL	required The Sysdig Secure Base URL.	`https://secure.sysdig.com`
config.secureAPIToken	required The API Token to access Sysdig Secure.	`""`
config.secureOnPrem	Specify that Sysdig Secure installation is on-prem.	`false`
config.secureSkipTLS	Ignore Sysdig Secure TLS certificate errors.	`false`
config.maxWorkers	The maximum number of parallel job scan workers to spawn.	`5`
config.filter.include	The list of regular expressions. Images matching any of these expressions are always included when scanning. To ensure that only included images are scanned and all others are explicitly excluded, set `exclude` to [”.*”].	`[]`
config.filter.exclude	The list of regular expressions. Images matching any of these expressions are excluded when scanning.	`[]`
config.filter.maxAgeDays	Based on its creation date, excludes images older than the specified number of days. The maximum is 365 days.	`90`
config.filter.maxTagsPerRepository	Based on its creation date, newer ones take precedence, the maximum number of tags to scan per repository. The maximum is 50.	`5`
config.filter.maxRepositoriesPerRegistry	The number of repositories to scan per registry. The maximum is 10000.	`500`
config.scan.inlineScanImage	Override the default image for the inline scanner job.	`""`
config.scan.securityContext	The security context for the Inline Scanner container.	`{}`
config.scan.orchestrator.ttlSecondsAfterFinished	The Time to Live (ttl) value for the orchestrator job. Provide an empty value to accept the default.	`3600`
config.scan.jobs.ttlSecondsAfterFinished	The ttl value for scanner worker jobs.	`600`
config.scan.jobs.resources.requests.memory	The memory request for the scanner job.	`500Mi`
config.scan.jobs.resources.requests.cpu	The CPU request for the scanner job.	`500m`
config.scan.jobs.resources.limits.memory	The memory limit for the scanner job.	`2Gi`
config.scan.jobs.resources.limits.cpu	The CPU limit for the scanner job.	`1`
config.scan.jobs.temporaryVolumeSizeLimit	The size limit for the emptyDir volume used by the scanner job. This volume is used to store both the vulnerability database and the image to scan.	`2Gi`
config.scan.jobs.nodeSelector	NodeSelector for child jobs. If only .Values.nodeSelector is specified, child jobs will inherit the same nodeSelector as the main pod	`{}`
config.scan.disablePlatformScanning	Force the scan to happen on the client component rather than relying on backend scanning	`false`
config.parallelGoRoutines	Number of goroutines running in parallel in metadata phase for ECR Org setup.	`100`
ssl.ca.certs	For outbound connections. List of PEM-encoded x509 certificate authority.	`[]`
customLabels	The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created.	`{}`
proxy.httpProxy	The URL of the proxy for HTTP connections. Leave it empty if not using proxy, which sets the `http_proxy` environment variable.
proxy.httpsProxy	The URL of the proxy for HTTPS connections. Leave it empty if not using proxy, which sets the `https_proxy` environment variable.
proxy.noProxy	The comma-separated list of domain extensions proxy should not be used for. Include the internal IP of the Kube API server in noProxy configuration. You probably need to add your registry if it is inside the cluster.
image.registry	The Sysdig Registry Scanner image registry.	`quay.io`
image.repository	The Sysdig Registry Scanner image repository.	`sysdig/registry-scanner`
image.tag	The Registry Scanner image tag. If empty, default to appVersion in `Chart.yaml`.
image.pullPolicy	The PullPolicy for Registry Scanner image.	`Always`
image.fips	Whether or not to use a Federal Information Processing Standard (FIPS) compliant image.	`false`
serviceAccount.create	Specifies whether a service account should be created.	`true`
serviceAccount.annotations	The additional annotations to add to the service account.	`{}`
serviceAccount.name	The name of the service account to use. If the value is not set and create is set to `true`, a name is generated using the fullname template.	`""`
imagePullSecrets	The image pull secrets.	`[]`
nameOverride	The chart name override	`""`
fullnameOverride	The chart fullname override	`""`
existingSecretName	Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries. If you are using `ecr` as `registryType`, ensure that you add ‘accessKeyId’, ‘secretAccessKey’, and ‘region’ entries.	`""`
podAnnotations	Pod annotations for the Registry scanner.	`{}`
securityContext	Security context for Registry Scanner container.	`{}`
resources	Resource limits for the main registry scanner orchestrator. For scanner job resources, use `config.scan.jobs.resources`.	`{}`
scanOnStart.enabled	Specify whether to start the post-install scanner job, in addition to the cronjob. Beware that `concurrencyPolicy` does not work on jobs (only cronjobs). Always check for active scanning and if so, remove it.	`false`
scanOnStart.jobName	The name of the job created for the post-install scanner job	`"registry-scanner-scan-on-start"`
scanOnStart.asPostInstallHook	Specify whether to launch the job as a post-install helm hook. Used for testing purpose.	`false`
extraEnvVars	The additional environment variables to be set.	`[]`
memProfileToPersistentVolumeClaim	Write memory profile dumps to Persistent Volume Claim (provide PVC name)	`""`

On-Prem Deployment

If you are using a Sysdig on-prem version greater than 6.2, you need to configure legacy VM engine while setting up registry scanner.

Use the following command to deploy:

helm upgrade --install registry-scanner \
   --namespace sysdig-agent \
   --create-namespace \
   --version=1.7.3 \
   --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
   --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
   --set config.secureSkipTLS=true \
   --set config.registryURL=<REGISTRY_URL> \
   --set config.registryUser=admin \
   --set config.registryPassword=<REGISTRY_PASSWORD> \
  sysdig/registry-scanner

Use config.secureSkipTLS=true if you are using self-signed certificates.