Container Image Scans - Registry vs. Pipeline
Introduction
Mend offers two ways of scanning Container Images, with the Mend CLI, and with the Container Registry Integration. There are pros and cons to each, and knowing these is crucial to finding the correct way to scan for your images for your needs.
Pipelines
Scanning in the Pipeline is best used when a user desires to have image scan results in the same Mend project as SCA and SAST Results. This allows users to get Operating System vulnerabilities from the images that they typically ship.
Pros | Cons |
---|---|
Scan with the Mend CLI which can be executed in conjunction with other SCA/SAST Scans | Must scan 1 image at a time. |
Ability to scan directly into the desired product/project | Need to login to scan images in a private registry |
The ability to scan exported images in TAR archive format | |
The ability to export reports at the end of each scan. |
How to implement
Please follow the steps in Scanning Your Applications in the Pipeline. SCA and SAST scans can be ignored if you are using the Mend Repository Integration.
Registry Integration
The Registry Integration scans all images in a private registry. The scans are triggered on Demand from the Mend UI or scheduled. The Registry Integration is a great option to monitor overall health of all images in the registry.
Registry Integration currently supports the following registries:
Amazon ECR
Microsoft Azure ACR
Docker Hub (Private Cloud)
Jfrog Artifactory Cloud
Pros | Cons |
---|---|
On-Demand Registry scans | Scans all images into one application on the Mend Platform as opposed to mapping the images to appropriate applications. |
Scans images in a registry in bulk | |
Runs on a cron schedule configurable in the integration settings |
How to implement
Please follow the steps in Integrate your Container Image Registries into Mend Container.