Registry Configuration
Configure rfscan to pull images from and scan container registries
If you do not need support for pulling images from container registries or scanning container registries or repositories, then this setup is not necessary.
rfscan must be configured to pull images from container registries and scan container registries.
By default, rfscan will try to load the
rfscan.yaml
configuration file from ~/.rapidfort/rfscan.yaml
. This can be overridden with the --configuration_file
command line parameter.Select your container registry type to view
rfscan.yaml
examples.Amazon ECR
Docker Hub
JFrog
Microsoft ACR
Specify the registry URL. Do not include
http://
or https://
.Specify
amazon_ecr
.Registry credentials are required for the following tasks:
- Pulling images that are not present locally (i.e.
docker pull
) - Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
rfscan supports the following methods of authentication with Amazon ECR.
AWS Command Line Interface Tools: Install the AWS Command Line Interface tools on your client system and configure AWS credentials. Verify that your client system is able to authenticate with Amazon ECR and pull images.
rfscan will attempt to use the cached AWS credentials. You will not need to add credentials to the
rfscan.yaml
configuration file.registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
AWS IAM Role ARN: Configure a role and policy for Amazon ECR. At minimum, the policy must grant Read and List (if you would like to scan your registry) permissions. Verify that you are able to assume the role on your client system and pull images from Amazon ECR.
If your client system is an EC2 instance, you can assign the role to the instance. Otherwise, add the role ARN to the
rfscan.yaml
configuration file.registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
aws_role_arn: arn:aws:iam::123456789010:role/rfscan-role
AWS Access Key Id, Secret Access Key, and Session Token: Generate an access key id, secret access key, and session token and add these to the
rfscan.yaml
configuration file.registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
aws_access_key_id: example_aws_access_key_id
aws_secret_access_key: example_aws_secret_access_key
aws_session_token: example_aws_session_token
Specify the registry URL. Do not include
http://
or https://
.Specify
docker_hub
.Registry credentials are required for the following tasks:
- Pulling images that are not present locally (i.e.
docker pull
) - Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.com:
type: docker_hub
username: example_username
password: example_password
Specify the registry URL. Do not include
http://
or https://
.Specify
jfrog
.Registry credentials are required for the following tasks:
- Pulling images that are not present locally (i.e.
docker pull
) - Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.jfrog.io:
type: jfrog
username: example_username
password: example_password
Specify the registry URL. Do not include
http://
or https://
.Specify
microsoft_acr
.Registry credentials are required for the following tasks:
- Pulling images that are not present locally (i.e.
docker pull
) - Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.com:
type: microsoft_acr
username: example_username
password: example_password
Registry scan filters are optional but recommended.
Filters are subtractive. That is, only images that match all filters will be included in the results.
One or more repository filter regular expression patterns to include and/or exclude may be specified.
filters:
repositories:
include:
- backend
- utils/(.*)
exclude:
- (.*)dev
One or more tag filter regular expression patterns to include and/or exclude may be specified.
filters:
tags:
include:
- 1.0.\d\d\d
- v1.2.\d\d\d
- latest
filters:
tags:
exclude:
- (.*)beta
- test
Registry scan results can be filtered by the tag push start date and/or push end date. Push date filters are inclusive.
filters:
push_date_start: 2021-11-01
push_date_end: 2021-11-30
Push date filters are not currently supported for JFrog or Microsoft ACR.
rfscan.yaml
filters:
repositories:
include:
- backend
- utils/(.*)
exclude:
- (.*)dev
tags:
exclude:
- (.*)beta
- test
push_date_start: 2021-12-01