Registry Configuration
Configure rfscan to pull images from and scan container registries
If you do not need support for pulling images from container registries or scanning container registries or repositories, then this setup is not necessary.

Configuration File

rfscan must be configured to pull images from container registries and scan container registries.
By default, rfscan will try to load the rfscan.yaml configuration file from ~/.rapidfort/rfscan.yaml. This can be overridden with the --configuration_file command line parameter.
Download the sample rfscan.yaml configuration file and update this with your registry information.
rfscan.yaml
1
---
2
# RapidFort rfscan Registry Scanner Configuration
3
# Supported registry types include: Docker Hub, JFrog, Amazon ECR, and Microsoft ACR.
4
# All registry types require the registry URL (do not include http:// or https://) and
5
# registry type to be specified.
6
# For Docker Hub, JFrog, and Microsoft ACR, the username and password are required if
7
# authentication is required.
8
# For Amazon ECR, credentials may be specified via one of the following:
9
# - AWS IAM role ARN
10
# - AWS access key, AWS secret access, and AWS session token
11
# - AWS CLI installed on client system and configured with registry credentials
12
#registries:
13
# - # Registry URL (for example, "hub.docker.com", "localhost:5000", "example.jfrog.io",
14
# # "123456789100.dkr.ecr.us-east-1.amazonaws.com", "mycontainerregistry.azurecr.io")
15
# # Registry type ("docker_hub", "jfrog", "amazon_ecr", or "microsoft_acr")
16
# type: ""
17
# # Username (not required for amazon_ecr)
18
# username: ""
19
# # Password (not required for amazon_ecr)
20
# password: ""
21
# # AWS role_arn (amazon_ecr only)
22
# aws_role_arn: ""
23
# # AWS access key id, secret access key, and session token are not required if an
24
# # IAM role ARN is specified or if the AWS CLI is installed and configured with
25
# # registry credentials
26
# # AWS access key id (amazon_ecr only)
27
# aws_access_key_id: ""
28
# # AWS secret access key (amazon_ecr only)
29
# aws_secret_access_key: ""
30
# # AWS session token (amazon_ecr only)
31
# aws_session_token: ""
32
#
33
# Optional filters for registry scanning. If an option is specified in the configuration file and also as a
34
# command line parameter, then the command line parameter will take precedence.
35
#filters:
36
# repositories:
37
# # List of repository regular expression patterns to include
38
# include:
39
# - repository_include_regex_1
40
# - repository_include_regex_2
41
# # List of repository regular expression patterns to exclude
42
# exclude:
43
# - repository_exclude_regex_1
44
# tags:
45
# # List of tag regular expression patterns to include
46
# include:
47
# - tag_include_regex_1
48
# # List of tag regular expression patterns to exclude
49
# exclude:
50
# - tag_exclude_regex_1
51
# # Push date start, inclusive (must have the format YYYY-MM-DD)
52
# push_date_start: ""
53
# # Push date end, inclusive (must have the format YYYY-MM-DD, e.g. 2021-01-01)
54
# push_date_end: ""
Copied!

Registries

Amazon ECR
Docker Hub
JFrog
Microsoft ACR

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify amazon_ecr.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
rfscan supports the following methods of authentication with Amazon ECR.
AWS Command Line Interface Tools: Install the AWS Command Line Interface tools on your client system and configure AWS credentials. Verify that your client system is able to authenticate with Amazon ECR and pull images.
rfscan will attempt to use the cached AWS credentials. You will not need to add credentials to the rfscan.yaml configuration file.
1
registries:
2
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
3
type: amazon_ecr
Copied!
AWS IAM Role ARN: Configure a role and policy for Amazon ECR. At minimum, the policy must grant Read and List (if you would like to scan your registry) permissions. Verify that you are able to assume the role on your client system and pull images from Amazon ECR.
If your client system is an EC2 instance, you can assign the role to the instance. Otherwise, add the role ARN to the rfscan.yaml configuration file.
1
registries:
2
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
3
type: amazon_ecr
4
aws_role_arn: arn:aws:iam::123456789010:role/rfscan-role
Copied!
AWS Access Key Id, Secret Access Key, and Session Token: Generate an access key id, secret access key, and session token and add these to the rfscan.yaml configuration file.
1
registries:
2
- 123456789010.dkr.ecr.us-east-1.amazonaws.com:
3
type: amazon_ecr
4
aws_access_key_id: example_aws_access_key_id
5
aws_secret_access_key: example_aws_secret_access_key
6
aws_session_token: example_aws_session_token
Copied!

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify docker_hub.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
1
registries:
2
- example.com
3
type: docker_hub
4
username: example_username
5
password: example_password
Copied!

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify jfrog.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
1
registries:
2
- example.jfrog.io
3
type: jfrog
4
username: example_username
5
password: example_password
Copied!

Registry URL

Specify the registry URL. Do not include http:// or https://.

Registry Type

Specify microsoft_acr.

Registry Credentials

Registry credentials are required for the following tasks:
  • Pulling images that are not present locally (i.e. docker pull)
  • Scanning registries
If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.
Specify your username and password.
1
registries:
2
- example.com
3
type: microsoft_acr
4
username: example_username
5
password: example_password
Copied!

Filters

Registry scan filters are optional but recommended.
Filters are subtractive. That is, only images that match all filters will be included in the results.

Repositories

One or more repository filter regular expression patterns to include and/or exclude may be specified.
1
filters:
2
repositories:
3
include:
4
- backend
5
- utils/(.*)
6
exclude:
7
- (.*)dev
Copied!

Tags

One or more tag filter regular expression patterns to include and/or exclude may be specified.
1
filters:
2
tags:
3
include:
4
- 1.0.\d\d\d
5
- v1.2.\d\d\d
6
- latest
Copied!
1
filters:
2
tags:
3
exclude:
4
- (.*)beta
5
- test
Copied!

Push Dates

Registry scan results can be filtered by the tag push start date and/or push end date. Push date filters are inclusive.
1
filters:
2
push_date_start: 2021-11-01
3
push_date_end: 2021-11-30
Copied!
Push date filters are not currently supported for JFrog or Microsoft ACR.

Example

rfscan.yaml
1
filters:
2
repositories:
3
include:
4
- backend
5
- utils/(.*)
6
exclude:
7
- (.*)dev
8
tags:
9
exclude:
10
- (.*)beta
11
- test
12
push_date_start: 2021-12-01
Copied!