Integrate your private container image registries with Mend

Overview

The Mend container image registry scanning solution is designed to scan container images at scale directly from image registries and identify security vulnerabilities in them.

Through our container image registry scanning, we empower you and your organization to proactively identify threats and ensure that you have a comprehensive view of your security posture in order to carry out the necessary remediations to protect your systems.

Note: In order to update the results of a previously scanned image within the Cloud Native UI, it must be rescanned with the private registry integration. For example, if new CVEs are identified after the image’s original scan date, a new private registry integration scan must be completed on the image in order to show the new findings in the Cloud Native UI.

Use cases for integrating your private container image registries with Mend

The registry integrations can be utilized in the following ways:

You, a DevOps Engineer, are responsible for implementing tools that scan container images stored in your organization's registry for known vulnerabilities. You are looking for a tool that automates the scan process to reduce the workload of manual reviews.
You, an AppSec Manager, are tasked with ensuring that no container images with known vulnerabilities are deployed in the organization's production environment from your development team. You want a visual representation of the overall state of your registries.
You, a Security Champion, are in charge of analyzing image registry scan findings. You want a tool that will help you in providing feedback to your development teams on what risks need to be addressed first.

Mend’s Answer: By integrating Mend with your organization's private image registry, you provide security to your organization by automatically bulk-scanning images in your registries. This enables your organization to maintain an up-to-date view of the security posture of your container images, ensuring that potential vulnerabilities are detected, triaged, and addressed promptly.

Getting it done

Configure the private registry integration

To learn more about setting up Mend with your private container image registry, read here:

Trigger the private registry integration

The registry integration scan can be started by one of the following:

A scan will start automatically when the private registry is initially added via the Integrations dashboard.
Within the Integrations dashboard, select the relevant private registry and click on the Scan Now button to initiate a scan on the chosen registry.
Within the Integrations dashboard → Actions column, click on Scan Now to initiate a scan on the chosen registry.

Note:

For optimal performance, only the latest 10 versions (tags) of each image repository are scanned within an integrated registry.
Longer scan times may occur for larger registries.
When using one of the Scan Now options, a Scan In Progress pop-up message will appear:

Review your private registry integration results

Visit our Review your Mend private container image registry integration results document for more information.

Reference

Supported registries

We support the following platforms for the Mend private registry integration:

Amazon ECR
Azure Container Registry (ACR)
Docker Hub
JFrog Artifactory Cloud

Note: We do not support scanning public registries with the Mend registry integration. Instead, you can scan individual images from Docker API-supported public registries with the Mend CLI via the mend image command.

Mend private image registry integration service user

When you configure and activate any of our private registry integrations for the first time, a service user is automatically created within the integrated Mend organization.

The service user will have a name similar to “<cn-registry-service-unique_string>”. This service user is automatically added to the admins Group (with organization administrator permissions) and is required for the integration to function properly.

You can view this service user via the Mend SCA UI → Admin - Users page.