Prepare your Registry
Required Additional License: Tenable Container Security
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator
You must prepare the following registries before you scan the registries via the Container Security Scanner.
- Amazon Web Service (AWS) Elastic Container Registry (ECR)
- Azure Registry
- Google Cloud Platform (GCP) Google Container Registry (GCR)
You do not need to prepare other registry types before scanning.
Amazon Web Service (AWS) Elastic Container Registry (ECR)
For information about how to make specific configurations to your AWS ECR, see the AWS Documentation.
To prepare your AWS ECR:
-
Obtain your AWS access keys.
Note: Your AWS access keys consist of two parts: an access key ID and an access secret key. The access key ID is your registry username variable, and the secret access key is your registry password variable. For more information, see Tenable Container Security Scanner Environment Variables.
What to do next:
- Scan your repository, as described in Scan a Registry via the Tenable Container Security Scanner.
For information about how to make specific configurations to your Azure registry, see the Azure Documentation.
To prepare your Azure registry:
-
Create a service principal for your Azure registry and assign the AcrPull role to the service principal.
What to do next:
- Scan your repository, as described in Scan a Registry via the Tenable Container Security Scanner.
Google Cloud Platform (GCP) Google Container Registry (GCR)
For information about how to make specific configurations to your GCP GCR, see the Google Container Registry Documentation.
To prepare your GCP GCR:
- Create a service account in GCR with the Project Viewer role.
-
Authenticate to your registry by creating and downloading a service account key as a JSON file (see the following example).
Copy{
"type": "service_account",
"project_id": "my-gcp-lab",
"private_key_id": "d21bbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAAAAAAAA\nBBBBBBBB\nCCCCCCCC\nDDDDDDDD\nEEEEEEEE\nFFFFFFFF\nGGGGGGGG==\n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "111111111111111111111",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cs-scanner%40dh-lab.iam.gserviceaccount.com"
} -
Mount the service account JSON file to the path /serviceAccount.json using the docker -v flag:
Copydocker run -e TENABLE_ACCESS_KEY=<redacted> \
-e TENABLE_SECRET_KEY=<redacted> \
-e IMPORT_REPO_NAME=<repo-name>
-e REGISTRY_URI=https://gcr.io/<gcp-project-name> \
-v <path-to-file>:/serviceAccount.json \
-it tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry
What to do next:
- Scan your repository, as described in Scan a Registry via the Tenable Container Security Scanner.