Links

Registry Configuration

Configure rfscan to pull images from and scan container registries
If you do not need support for pulling images from container registries or scanning container registries or repositories, then this setup is not necessary.

Configuration File

rfscan must be configured to pull images from container registries and scan container registries.
By default, rfscan will try to load the rfscan.yaml configuration file from ~/.rapidfort/rfscan.yaml. This can be overridden with the --configuration_file command line parameter.
Select your container registry type to view rfscan.yaml examples.

Registries

Amazon ECR
Docker Hub
JFrog
Microsoft ACR

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify amazon_ecr.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
rfscan supports the following methods of authentication with Amazon ECR.
AWS Command Line Interface Tools: Install the AWS Command Line Interface tools on your client system and configure AWS credentials. Verify that your client system is able to authenticate with Amazon ECR and pull images.
rfscan will attempt to use the cached AWS credentials. You will not need to add credentials to the rfscan.yaml configuration file.
registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
AWS IAM Role ARN: Configure a role and policy for Amazon ECR. At minimum, the policy must grant Read and List (if you would like to scan your registry) permissions. Verify that you are able to assume the role on your client system and pull images from Amazon ECR.
If your client system is an EC2 instance, you can assign the role to the instance. Otherwise, add the role ARN to the rfscan.yaml configuration file.
registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
aws_role_arn: arn:aws:iam::123456789010:role/rfscan-role
AWS Access Key Id, Secret Access Key, and Session Token: Generate an access key id, secret access key, and session token and add these to the rfscan.yaml configuration file.
registries:
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
type: amazon_ecr
aws_access_key_id: example_aws_access_key_id
aws_secret_access_key: example_aws_secret_access_key
aws_session_token: example_aws_session_token

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify docker_hub.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.com:
type: docker_hub
username: example_username
password: example_password

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify jfrog.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.jfrog.io:
type: jfrog
username: example_username
password: example_password

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify microsoft_acr.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
registries:
- example.com:
type: microsoft_acr
username: example_username
password: example_password

Filters

Registry scan filters are optional but recommended.
Filters are subtractive. That is, only images that match all filters will be included in the results.

Repositories

One or more repository filter regular expression patterns to include and/or exclude may be specified.
filters:
repositories:
include:
- backend
- utils/(.*)
exclude:
- (.*)dev

Tags

One or more tag filter regular expression patterns to include and/or exclude may be specified.
filters:
tags:
include:
- 1.0.\d\d\d
- v1.2.\d\d\d
- latest
filters:
tags:
exclude:
- (.*)beta
- test

Push Dates

Registry scan results can be filtered by the tag push start date and/or push end date. Push date filters are inclusive.
filters:
push_date_start: 2021-11-01
push_date_end: 2021-11-30
Push date filters are not currently supported for JFrog or Microsoft ACR.

Example

rfscan.yaml
filters:
repositories:
include:
- backend
- utils/(.*)
exclude:
- (.*)dev
tags:
exclude:
- (.*)beta
- test
push_date_start: 2021-12-01