Registry Configuration

Configure rfscan to pull images from and scan container registries
If you do not need support for pulling images from container registries or scanning container registries or repositories, then this setup is not necessary.
Configuration File
rfscan must be configured to pull images from container registries and scan container registries.
By default, rfscan will try to load the rfscan.yaml configuration file from ~/.rapidfort/rfscan.yaml. This can be overridden with the --configuration_file command line parameter.
Select your container registry type to view rfscan.yaml examples.
Registries
Amazon ECR
Docker Hub
JFrog
Microsoft ACR
Registry URL
Specify the registry URL. Do not include http:// or https://.
Registry Type
Specify amazon_ecr.
Registry Credentials
Registry credentials are required for the following tasks:
Pulling images that are not present locally (i.e. docker pull)
Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
rfscan supports the following methods of authentication with Amazon ECR.
AWS Command Line Interface Tools: Install the AWS Command Line Interface tools on your client system and configure AWS credentials. Verify that your client system is able to authenticate with Amazon ECR and pull images.
rfscan will attempt to use the cached AWS credentials. You will not need to add credentials to the rfscan.yaml configuration file.
registries:
  - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
      type: amazon_ecr
AWS IAM Role ARN: Configure a role and policy for Amazon ECR. At minimum, the policy must grant Read and List (if you would like to scan your registry) permissions. Verify that you are able to assume the role on your client system and pull images from Amazon ECR.
If your client system is an EC2 instance, you can assign the role to the instance. Otherwise, add the role ARN to the rfscan.yaml configuration file.
registries:
  - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
      type: amazon_ecr
      aws_role_arn: arn:aws:iam::123456789010:role/rfscan-role
AWS Access Key Id, Secret Access Key, and Session Token: Generate an access key id, secret access key, and session token and add these to the rfscan.yaml configuration file.
registries:
  - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
      type: amazon_ecr
      aws_access_key_id: example_aws_access_key_id
      aws_secret_access_key: example_aws_secret_access_key
      aws_session_token: example_aws_session_token
Registry URL
Specify the registry URL. Do not include http:// or https://.
Registry Type
Specify docker_hub.
Registry Credentials
Registry credentials are required for the following tasks:
Pulling images that are not present locally (i.e. docker pull)
Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
  - example.com:
      type: docker_hub
      username: example_username
      password: example_password
Registry URL
Specify the registry URL. Do not include http:// or https://.
Registry Type
Specify jfrog.
Registry Credentials
Registry credentials are required for the following tasks:
Pulling images that are not present locally (i.e. docker pull)
Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
  - example.jfrog.io:
      type: jfrog
      username: example_username
      password: example_password
Registry URL
Specify the registry URL. Do not include http:// or https://.
Registry Type
Specify microsoft_acr.
Registry Credentials
Registry credentials are required for the following tasks:
Pulling images that are not present locally (i.e. docker pull)
Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
  - example.com:
      type: microsoft_acr
      username: example_username
      password: example_password
Filters
Registry scan filters are optional but recommended.
Filters are subtractive. That is, only images that match all filters will be included in the results.
Repositories
One or more repository filter regular expression patterns to include and/or exclude may be specified.
filters:
  repositories:
    include:
      - backend
      - utils/(.*)
    exclude:
      - (.*)dev
Tags
One or more tag filter regular expression patterns to include and/or exclude may be specified.
filters:
  tags:
    include:
      - 1.0.\d\d\d
      - v1.2.\d\d\d
      - latest
filters:
  tags:
    exclude:
      - (.*)beta
      - test
Push Dates
Registry scan results can be filtered by the tag push start date and/or push end date. Push date filters are inclusive.
filters:
  push_date_start: 2021-11-01
  push_date_end: 2021-11-30
Push date filters are not currently supported for JFrog or Microsoft ACR.
Example
rfscan.yaml
filters:
  repositories:
    include:
      - backend
      - utils/(.*)
    exclude:
      - (.*)dev
  tags:
    exclude:
      - (.*)beta
      - test
  push_date_start: 2021-12-01
Scanning with RapidFort - Previous
Overview
Next - Scanning with RapidFort
Scanning Images
Last modified 9mo ago