Prepare your Registry

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

You must prepare the following registries before you scan the registries via the Container Security Scanner.

You do not need to prepare other registry types before scanning.

Amazon Web Service (AWS) Elastic Container Registry (ECR)

For information about how to make specific configurations to your AWS ECR, see the AWS Documentation.

To prepare your AWS ECR:

  1. Obtain your AWS access keys.

    Note: Your AWS access keys consist of two parts: an access key ID and an access secret key. The access key ID is your registry username variable, and the secret access key is your registry password variable. For more information, see Tenable Container Security Scanner Environment Variables.

What to do next:

Azure Registry

For information about how to make specific configurations to your Azure registry, see the Azure Documentation.

To prepare your Azure registry:

  1. Create a service principal for your Azure registry and assign the AcrPull role to the service principal.

What to do next:

Google Cloud Platform (GCP) Google Container Registry (GCR)

For information about how to make specific configurations to your GCP GCR, see the Google Container Registry Documentation.

To prepare your GCP GCR:

  1. Create a service account in GCR with the Project Viewer role.
  2. Authenticate to your registry by creating and downloading a service account key as a JSON file (see the following example).

    Copy
    {
      "type": "service_account",
      "project_id": "my-gcp-lab",
      "private_key_id": "d21bbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAAAAAAAA\nBBBBBBBB\nCCCCCCCC\nDDDDDDDD\nEEEEEEEE\nFFFFFFFF\nGGGGGGGG==\n-----END PRIVATE KEY-----\n",
      "client_email": "[email protected]",
      "client_id": "111111111111111111111",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cs-scanner%40dh-lab.iam.gserviceaccount.com"
    }
  3. Mount the service account JSON file to the path /serviceAccount.json using the docker -v flag:

    Copy
    docker run -e TENABLE_ACCESS_KEY=<redacted> \
      -e TENABLE_SECRET_KEY=<redacted> \
      -e IMPORT_REPO_NAME=<repo-name>
      -e REGISTRY_URI=https://gcr.io/<gcp-project-name> \
      -v <path-to-file>:/serviceAccount.json \
      -it tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry

What to do next: