Scanner Configuration to Scan Registries
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Installation & Configuration
      3. Scanner Configuration to Scan Registries

      rfScan Configuration to Scan Registries

      Configure rfscan to pull images from and scan container registries

      Configuration File

      rfscan must be configured to pull images from container registries and scan them.
      By default, rfscan will try to load the rfscan.yaml configuration file from ~/.rapidfort/rfscan.yaml. However, it can be overridden with the --configuration_file command line parameter.

      The following is a set of rfscan.yaml examples for the supported Registry:

      1. Registries

      Registry type: Amazon ECR

      Registry URL
      Specify the registry URL. Do not include http:// or https://.

      Registry Type
      Specify amazon_ecr.

      Registry Credentials
      Registry credentials are required for the following tasks:

        • Pulling images that are not present locally (i.e. docker pull)

        • Scanning registries

      If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.

      rfscan supports the following methods of authentication with Amazon ECR.

      AWS Command Line Interface Tools: Install the AWS Command Line Interface tools on your client system and configure AWS credentials. Verify that your client system is able to authenticate with Amazon ECR and pull images.

      rfscan will attempt to use the cached AWS credentials. You will not need to add credentials to the rfscan.yaml configuration file.

      registries:
        - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
            type: amazon_ecr

      AWS IAM Role ARN: Configure a role and policy for Amazon ECR. At minimum, the policy must grant Read and List (if you would like to scan your registry) permissions. Verify that you are able to assume the role on your client system and pull images from Amazon ECR.

      If your client system is an EC2 instance, you can assign the role to the instance. Otherwise, add the role ARN to the rfscan.yaml configuration file.

      registries:
        - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
            type: amazon_ecr
            aws_role_arn: arn:aws:iam::123456789010:role/rfscan-role

      AWS Access Key Id, Secret Access Key, and Session Token: Generate an access key id, secret access key, and session token and add these to the rfscan.yaml configuration file.

      registries:
        - 123456789010.dkr.ecr.us-east-1.amazonaws.com:
            type: amazon_ecr
            aws_access_key_id: example_aws_access_key_id
            aws_secret_access_key: example_aws_secret_access_key
            aws_session_token: example_aws_session_token

      Registry type: Docker Hub

       Registry URL

      Specify the registry URL. Do not include http:// or https://.

      Registry Type
      Specify docker_hub.


      Registry Credentials

      Registry credentials are required for the following tasks

        • Pulling images that are not present locally (i.e. docker pull)

        • Scanning registries

      If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.

      Specify your username and password.

      registries:
        - example.com:
            type: docker_hub
            username: example_username
            password: example_password

      Registry type: JFrog

      Registry URL
      Specify the registry URL. Do not include http:// or https://.

      Registry Type
      Specify jfrog.


      Registry Credentials
      Registry credentials are required for the following tasks:

        • Pulling images that are not present locally (i.e. docker pull)

        • Scanning registries

      If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.

      Specify your username and password.

      registries:
        - example.jfrog.io:
            type: jfrog
            username: example_username
            password: example_password

       

      Registry type: Microsoft ACR

      Registry URL
      Specify the registry URL. Do not include http:// or https://.

      Registry Type
      Specify microsoft_acr.


      Registry Credentials
      Registry credentials are required for the following tasks:

        • Pulling images that are not present locally (i.e. docker pull)

        • Scanning registries

      If you prefer not to provide registry credentials, rfscan also supports scanning only images that are already present locally. Your client system will be responsible for pulling images before running rfscan.

      Specify your username and password.

      registries:
        - example.com:
            type: microsoft_acr
            username: example_username
            password: example_password

       

      2. Filters

      Registry scan filters are optional but recommended.
      Filters are subtractive. That is, only images that match all filters will be included in the results.

      Repositories

      One or more repository filter regular expression patterns to include and/or exclude may be specified.

      filters:
        repositories:
          include:
            - backend
            - utils/(.*)
          exclude:
            - (.*)dev

      Tags
      One or more tag filter regular expression patterns to include and/or exclude may be specified


      filters:
        tags:
          include:
            - 1.0.\d\d\d
            - v1.2.\d\d\d
            - latest
      filters:
        tags:
          exclude:
            - (.*)beta
            - test

      Push Dates
      Registry scan results can be filtered by the tag push start date and/or push end date. Push date filters are inclusive.

      filters:
        push_date_start: 2021-11-01
        push_date_end: 2021-11-30

      Push date filters are not currently supported for JFrog or Microsoft ACR.

      Example:

      filters:
        repositories:
          include:
            - backend
            - utils/(.*)
          exclude:
            - (.*)dev
        tags:
          exclude:
            - (.*)beta
            - test
        push_date_start: 2021-12-01