Chart: Registry Scanner

Overview

Sysdig Registry Scanner scans your images registry on a Kubernetes cluster . This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster and allows you to integrate Sysdig Secure with different image registries.

Registry scanning provides an extra layer of defense between pipeline and runtime by checking:

Follow the instructions in Install Registry Scanner to deploy the Helm chart. They include specific use cases for:

Once installed, you can view the scan results in the Vulnerabilities UI of Sysdig Secure.

Prerequisites

Configuration Parameters

The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:

Parameter Description Default
cronjob.schedule The cronjob expression for registry scan scheduling. See https://crontab.guru/ for help. "0 6 * * 6"
cronjob.failedJobsHistoryLimit The number of failed job history to keep on the cluster. 5
cronjob.successfulJobsHistoryLimit The number of successful job history to keep on the cluster. 2
cronjob.restartPolicy The restart policy for a failed registry scan execution. Never
cronjob.timeZone Timezone settings for the cronjob. Value default will be null to guarantee we only set the timezone if the user provides it. ""
reportToPersistentVolumeClaim Specify a volume claim to write the final JSON report there instead of standard output. ""
config.logging The log level. Use one of the following: trace, debug, info, error. "info"
config.registryURL The URL of the registry to scan. ""
config.registryApiUrl The API URL of the registry to scan. This is required if your registry type is Artifactory. ""
config.registryUser The username for registry authentication. ""
config.registryPassword The password for registry authentication. ""
config.registryType Mandatory.
The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus and dockerv2.
""
config.registryAccountId The account ID. Applicable only for ICR registry type. ""
config.icrIamApi The ICR IAM API. Applicable only for ICR registry type. ""
config.icrIamApiSkipTLS Ignore TLS certificate for IAM API. Applicable only for ICR registry type. false
config.aws.accessKeyId The AWS credentials: AccessKeyId. ""
config.aws.secretAccessKey The AWS credentials: SecretAccessKey. ""
config.aws.region For single account. It is the region where the registry is located. "us-east-1"
config.aws.managementAccountRoleARN The management role ARN to be used to impersonate the member accounts.
config.aws.memberAccountsRoleName The member account role name (available in all member accounts) to dig into their registries. "OrganizationAccountAccessRole"
config.aws.allowListMemberAccountIDs The organization account IDs in which the registry scan is performed. If not configured, the scan will be performed in all the member accounts of the organization. []
config.aws.allowListRegions For organizational accounts. It is the AWS regions where the registries are located. If not configured, the scan will be performed in all available regions. []
config.registrySkipTLS Ignore registry TLS certificate errors (self-signed, etc.). false
config.secureBaseURL required
The Sysdig Secure Base URL.
https://secure.sysdig.com
config.secureAPIToken required
The API Token to access Sysdig Secure.
""
config.secureOnPrem Specify that Sysdig Secure installation is on-prem. false
config.secureSkipTLS Ignore Sysdig Secure TLS certificate errors. false
config.maxWorkers The maximum number of parallel job scan workers to spawn. 5
config.filter.include The list of regular expressions.
Images matching any of these expressions are always included when scanning.
[]
config.filter.exclude The list of regular expressions.
Images matching any of these expressions are excluded when scanning.
[]
config.filter.maxAgeDays Based on its creation date, excludes images older than the specified number of days.
The maximum is 365 days.
90
config.filter.maxTagsPerRepository Based on its creation date, newer ones take precedence, the maximum number of tags to scan per repository.
The maximum is 50.
5
config.filter.maxRepositoriesPerRegistry The number of repositories to scan per registry.
The maximum is 10000.
500
config.scan.inlineScanImage Override the default image for the inline scanner job. ""
config.scan.securityContext The security context for the Inline Scanner container. {}
config.scan.orchestrator.ttlSecondsAfterFinished The Time to Live (ttl) value for the orchestrator job. Provide an empty value to accept the default. 3600
config.scan.jobs.ttlSecondsAfterFinished The ttl value for scanner worker jobs. 600
config.scan.jobs.resources.requests.memory The memory request for the scanner job. 500Mi
config.scan.jobs.resources.requests.cpu The CPU request for the scanner job. 500m
config.scan.jobs.resources.limits.memory The memory limit for the scanner job. 2Gi
config.scan.jobs.temporaryVolumeSizeLimit The size limit for the emptyDir volume used by the scanner job.
This volume is used to store both the vulnerability database and the image to scan.
2Gi
config.scan.disablePlatformScanning Force the scan to happen on the client component rather than relying on backend scanning false
config.parallelGoRoutines Number of goroutines running in parallel in metadata phase for ECR Org setup. 100
ssl.ca.certs For outbound connections.
List of PEM-encoded x509 certificate authority.
[]
customLabels The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created. {}
proxy.httpProxy The URL of the proxy for HTTP connections. Leave it empty if not using proxy, which sets the http_proxy environment variable.
proxy.httpsProxy The URL of the proxy for HTTPS connections. Leave it empty if not using proxy, which sets the https_proxy environment variable.
proxy.noProxy The comma-separated list of domain extensions proxy should not be used for. Include the internal IP of the Kube API server in noProxy configuration. You probably need to add your registry if it is inside the cluster.
image.registry The Sysdig Registry Scanner image registry. quay.io
image.repository The Sysdig Registry Scanner image repository. sysdig/registry-scanner
image.tag The Registry Scanner image tag. If empty, default to appVersion in Chart.yaml.
image.pullPolicy The PullPolicy for Registry Scanner image. Always
serviceAccount.create Specifies whether a service account should be created. true
serviceAccount.annotations The additional annotations to add to the service account. {}
serviceAccount.name The name of the service account to use. If the value is not set and create is set to true, a name is generated using the fullname template. ""
imagePullSecrets The image pull secrets. []
nameOverride The chart name override ""
fullnameOverride The chart fullname override ""
existingSecretName Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries. If you are using ecr as registryType, ensure that you add ‘accessKeyId’, ‘secretAccessKey’, and ‘region’ entries. ""
podAnnotations Pod annotations for the Registry scanner. {}
securityContext Security context for Registry Scanner container. {}
resources Resource limits for the main registry scanner orchestrator.
For scanner job resources, use config.scan.jobs.resources.
{}
scanOnStart.enabled Specify whether to start the post-install scanner job, in addition to the cronjob.
Beware that concurrencyPolicy does not work on jobs (only cronjobs).
Always check for active scanning and if so, remove it.
false
scanOnStart.jobName The name of the job created for the post-install scanner job "registry-scanner-start-test"
scanOnStart.asPostInstallHook Specify whether to launch the job as a post-install helm hook.
Used for testing purpose.
false
extraEnvVars The additional environment variables to be set. []
memProfileToPersistentVolumeClaim Write memory profile dumps to Persistent Volume Claim (provide PVC name) ""

On-Prem Deployment

If you are using a Sysdig on-prem version greater than 6.2, you need to configure legacy VM engine while setting up registry scanner.

Use the following command to deploy:

helm upgrade --install registry-scanner \
   --namespace sysdig-agent \
   --create-namespace \
   --version=1.1.32 \
   --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
   --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
   --set config.secureSkipTLS=true \
   --set config.registryURL=<REGISTRY_URL> \
   --set config.registryUser=admin \
   --set config.registryPassword=<REGISTRY_PASSWORD> \
  sysdig/registry-scanner

Use config.secureSkipTLS=true if you are using self-signed certificates.