Table of contents
Topics on this page
Before adding a registry
Add a registry

Add or edit a registry

Before Smart Check can scan your images, it needs to know which registries contain the images that you want to scan. You can add one or more registries (up to a maximum of 4 with a trial or basic license) to Deep Security Smart Check.

Before adding a registry

When you add a registry, you must provide authentication credentials that Deep Security Smart Check will use to access your repository. Depending on the type of registry, you can provide AWS credentials, a username and password, or a JSON key file.

If you are using Google Cloud Registry, create a service account and use its JSON key file. The service account must have at least the Storage Object Viewer role and both the Google Cloud Resource Manager API and Google Container Registry API must be enabled. Google provides an overview and detailed instructions for creating service accounts.

Add a registry

  1. On the left side of the Smart Check administrator console, click Registries icon Registries.
  2. Click + CREATE to add a registry.
  3. On the Create Registry page, in the Name field, enter a descriptive name for the registry. This name does not necessarily need to match the namespace of your Docker registry. If you plan to add multiple registries, you’ll use this name to tell them apart in the Smart Check administrator console. The name should be short but meaningful, with a maximum of 256 characters.
  4. In the Description field, enter an optional description of the registry. This is useful if you need to capture a bit more information than the Name field allows.
  5. In the Registry Type field, select the type of registry you're adding:
    • Google Cloud Registry
    • Amazon Elastic Cloud Registry
    • Generic Registry
  6. Add the registry details.
    • For a Google Cloud Registry, enter:
      • JSON key file: JSON key that Smart Check will use to access your repository
      • Registry Host: Hostname or IP address of the Docker registry you want to scan
    • For an Amazon Elastic Container Registry:
      • To use an AWS IAM Access Key ID & Secret as the authentication method:
        • Region: The AWS region identifier for the region where the registry is located. Example: us-east-1.
        • Registry ID: (Optional) If you want to scan a registry in another account, put the account ID here. Example: 123456789012. If not provided, the default registry will be used.
        • Access Key ID: Your AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
        • Secret Acess Key: Your AWS secret acess key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      • To use an Instance Role as the authentication method:
        • Region: The AWS region identifier for the region where the registry is location. Example us-east-1.
        • Registry ID: (Optional) If you want to scan a registry in another account, put the account ID here. Example: 123456789012. If not provided, the default registry will be used.
      • To use a cross-account role with an Instance Role as the authentication method:
        • Region: The AWS region identifier for the region where the registry is located. Example: us-east-1.
        • Registry ID: (Optional) If you want to scan a registry in another account, put the account ID here. Example: 123456789012. If not provided, the default registry will be used.
        • Role ARN: The role ARN. For example, arn:aws:iam::account-id:role/ecr-readonly-role.
        • External ID: (Optional) The external ID to provide when assuming the cross-acount role.
        • Role Session Name: (Optional) The session name to use when assuming the cross-account role.
      • To use a cross-account role with an AWS IAM Acess Key ID & Secret as the authentication method:
        • Region: The AWS region identifier for the region where the registry is located. Example: us-east-1.
        • Registry ID: (Optional) If you want to scan a registry in another account, put the account ID here. Example: 123456789012. If not provided, the default registry will be used.
        • Role ARN: The role ARN. For example, arn:aws:iam::account-id:role/ecr-readonly-role.
        • External ID: (Optional) The external ID to provide when assuming the cross-acount role.
        • Role Session Name: (Optional) The session name to use when assuming the cross-account role.
        • Access Key ID: Your AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
        • Secret Acess Key: Your AWS secret acess key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    • For a Generic Registry, enter:
      • User ID: The user ID for authenticating to the registry.
      • Password: The password for authenticating to the registry.
      • Registry Host: The hostname or IP address of the Docker registry to scan. Example: us.gcr.io.
    • For a JFrog Registry, enter:
      • User ID: The user ID for authenticating to the registry.
      • Password: The password for authenticating to the registry.
      • Registry Host: The hostname or IP address of JFrog and the path to your Docker registry. Example: {hostname}/artifactory/api/docker/{repository}. Note that if a reverse proxy has been configured, then the /artifactory path can be removed. Example: {hostname}/api/docker/{repository}.
  7. If Start scan when registry is created is selected, a scan starts as soon as you click Create Registry.
  8. If Perform scan periodically is selected, Smart Check automatically performs a scan every day at midnight UTC.
  9. Click + ADD FILTER to include or exclude images based on any segment of their fully qualified name in the form <repository>/<image>:<tag>. For example, the include filter *latest* would match smartcheck/scan:latest and smartcheck/auth:latest. The default include filter of * will select all images in the registry.
  10. Click CREATE REGISTRY.

To edit a registry, go to the Registries page, click the registry, and then click Edit icon.

To refresh the list of images in a registry, go to the Registries page, click the registry, and then click Sync icon.