Scanning a Cloud Registry
Currently, QScanner supports the following Container Registries. The table below also shows the authentication method for logging into these registries.
| Name | Authentication Method |
|---|---|
| AWS ECR | AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY |
| Azure Container Registry | username/password OR AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID |
| Docker hub | username/password |
| Docker V2 - harbor | username/password |
| Ghcr | username/password |
| jfrog | registry-token |
| RedHat Quay | username/password |
AWS Elastic Container Registry (AWS ECR)
QScanner pulls the images from AWS ECR. It loads the AWS credentials from ~/.aws/credentials (if available). If this file is not present, then you need to set the following environment variables - AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID.
If you are using Event Bridge, QScanner runs in a lambda which gets triggered via Event Bridge. This lambda has permissions to access the ECR as the IAM role is assigned to it. When this role is assigned to the lambda running QScanner, environment variables AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID are automatically configured which enables QScanner to pull the images from ECR.
# Set required AWS environment variable
export AWS_ACCESS_KEY_ID=<access-key-id>
export AWS_SECRET_ACCESS_KEY=<secret-key>
# Run QScanner./qscanner --pod US2 image <image-uri>:<tag>
Azure Container Registry (ACR)
QScanner uses Azure SDK for Go. You don't need to install the az command. The service principal must have the AcrPull permissions.
# Create service principal
export SP_DATA=$(az ad sp create-for-rbac --name QScannerTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
# Set required Azure environment variables. Make sure QSCANNER_REGISTRY_USERNAME is not set.
export AZURE_CLIENT_ID=$(echo $SP_DATA | jq -r .appId)
export AZURE_CLIENT_SECRET=$(echo $SP_DATA | jq -r .password)
export AZURE_TENANT_ID=$(echo $SP_DATA | jq -r .tenant)
# Run QScanner
./qscanner --pod US2 image <project>.azurecr.io/<image>:<tag>