Adding a New Registry to Scan

You can choose to scan immediately (On Demand) or on an on-going basis (Automatic). An on-demand scan allows you to scan repositories as well as specific images within those repositories (use date and tag filters). With an automatic scan, you can scan entire repositories on a recurring basis following a user-specified scan schedule.

Add one or more repositories to scan. In the Repository field, enter the full repository path up till the last sub-directory containing the images you want to scan (except for Google Cloud Registry and Google Artifact Registry, see the Notes below).

The following command helps you to get a list of full repository names that are part of a registry:

curl -u : https:// url>/v2/_catalog

• For Google Cloud Registry, the repository name should not include location information, because you have already provided the location under registry information. For example, the repository name should be: project-Id/repository-name.

• For Google Artifact Registry, only the repository name is needed. We'll auto-populate the full path.

• Wildcard support may be enabled for your subscription. See Wildcard Support below.
  

When the scan type is On Demand, you'll see filters that allow you to select specific images within the repository to scan.

• By Date: Filter the list of images based on when the image was created. Select one of the options on the Created Date menu for the number of days, weeks or months ago the image was created.

• By Tags: Filter the list of images to scan within the repository by selecting tags assigned to those images. Enter a single tag name and click Add. Then enter another tag name and click Add, and so on.

Using JFrog Artifactory Private registry? In this case, you'll need to select images by tag name. You can further filter images by the image pushed date.

Pushed Date: This option allows you to filter the images to be scanned based on when each image was pushed into the repository being scanned. Choose an option from the Pushed Date menu (e.g. Today, Yesterday, Last 7 Days, Last 30 Days, etc). Choose "All" to scan all images pushed into the repository regardless of the pushed date or "Custom Days" to only scan images pushed into the repository a set number of days ago that you specify.  

Configure how often an Automatic registry scan job will run – daily or weekly. Choose an option from the Recurrence menu under Scan Schedule.  

For daily scans, select the time of day you want the scan to start from the Start Time menu. The scan starts every day at the selected time.

For weekly scans, select a day of the week and the start time. The scan happens every week on the specified day and time.

You can get this feature enabled for your subscription. Contact your Technical Account Manager or Qualys support to enable it.

When this feature is enabled, you can select the Scan all images check box to force the scan on all images every time the registry scan is launched.

The Scan All Images Option for On Demand Scans:

By default, the first scan for a new registry scan schedule scans all matching images and creates a baseline. The subsequent scans include only newly found images.

The Scan All Images Option for Automatic Scans:

In automatic scans, the Scan all images option scans all images from the specified repositories every time a scan is launched.

In an Automatic scan schedule, this option is available for selection only when you have selected a weekly recurrence.

When selecting this option, you need to select either of the following options to limit the number of images retrieved for scanning:

• Image Tags Limit: Specify the maximum number of image tags to be scanned. You can enter up to 20. The tags are selected based on their created or modified date. For example, for the image tags limit of 5, the last five created or modified tags are selected. All images with the selected tags are scanned.

• Created Date: Select a time period to scan all the images created during that period. You can select up to the last three months.

• You need sensor version 1.22 or later to use the Scan all images option for automatic scans.

• The public registry must be accessible from the host where the sensor is deployed.

This feature must be enabled for your subscription. Please reach out to your Technical Account Manager or Qualys Support if you're interested in this feature.

When this feature is enabled, you’ll be able to use wildcards when entering the repository name or image tag name when configuring a registry scan schedule. Automatic scans support wildcards for repository names. On Demand scans support wildcards for repository names and image tag names.

You have these options:

• Enter .* in the Repository field to match all repository names or in the Images field to match all image tag names. For JFrog Artifactory registry, you must use AQL regular expression syntax. In this case, enter * on its own (instead of .*) for repository name or image tag name.
• Use the wildcard (*) at the start of the repository or tag name like *value to match any name that ends with the value. For example, *ABC would match DemoABC, RepoABC, SampleABC, etc.
• Use the wildcard (*) at the end of the repository or tag name like value* to match any name that starts with the value. For example, 123* would match 123456, 123ABC, 123Sample.

• For automatic jobs, if a wildcard entry is provided in the repository along with an Image tag limit filter, the sensor will scan the specified number of images from each repository.
  For example, if the image tag limit value is set to '2', the sensor will scan 2 images from each repository.