Container Registry Integration
Plexicus can discover and scan container images stored in your private registry. This guide covers supported registries, credential setup, and scanning workflows.
Container registry scanning is available on Scale plan and above. Check your plan at Settings → Account → Subscription Tier.
Supported Registries
Plexicus integrates with the following container registries:
| Registry | Platforms | Supported |
|---|---|---|
| AWS ECR (Elastic Container Registry) | AWS public, AWS GovCloud | ✅ Yes |
| Docker Hub | Public, Private | ✅ Yes |
| GitHub GHCR (GitHub Container Registry) | GitHub (public/private) | ✅ Yes |
| Google Artifact Registry (GAR) | Google Cloud, multi-region | ✅ Yes |
| Google Container Registry (GCR) | Google Cloud (legacy) | ✅ Yes |
| Azure ACR (Azure Container Registry) | Azure, US Gov Cloud | ✅ Yes |
| GitLab Registry | GitLab.com, self-hosted | ✅ Yes |
| JFrog Artifactory | On-prem, cloud, multi-region | ✅ Yes |
| Quay.io | Quay.io, private Quay deployments | ✅ Yes |
Adding a Registry Connection
Step 1: Navigate to Registry Connections
- Go to Settings → Registry Connections (or
app.plexicus.ai/settings#registry-connections) - Click Add Connection
Step 2: Select Platform
Choose your registry platform from the dropdown. The UI will adapt credential fields based on your selection.
Step 3: Enter Credentials
Provide the authentication details for your registry. Sensitive fields (passwords, tokens, secrets) are encrypted in transit and at rest.
AWS ECR
- Access Key ID — AWS IAM access key
- Secret Access Key — AWS IAM secret key (encrypted)
- Region — AWS region (e.g.,
us-east-1) - Account ID — AWS account number
Permissions Required:
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:GetDownloadUrlForLayer (for image scanning)
ecr:BatchGetImage
Docker Hub
- Username — Docker Hub username or organization name
- Password — Docker Hub password or PAT (encrypted)
- Namespace — Optional: restrict to a specific namespace
GitHub GHCR
- Username — GitHub username
- Token — GitHub personal access token (PAT) with
read:packagesscope (encrypted) - User / Organization — The GitHub org/user to scan images from
Google Artifact Registry (GAR) & GCR
- Project ID — Google Cloud project ID
- Region — For GAR only: artifact registry region (e.g.,
us-central1) - Service Account JSON — Optional: paste the full service account JSON for advanced auth
Permissions Required (via IAM role):
artifactregistry.repositories.getartifactregistry.files.liststorage.buckets.get(for GCR)
Azure ACR
- Registry Name — Your Azure registry name (e.g.,
myregistryfrommyregistry.azurecr.io) - Client ID — Azure service principal client ID
- Client Secret — Azure service principal secret (encrypted)
- Tenant ID — Azure tenant ID
GitLab Registry
- Username — GitLab username or deploy token username
- Token — GitLab deploy token or personal access token (PAT) with
read_registryscope (encrypted) - Namespace — Optional: restrict to a specific namespace
JFrog Artifactory
- Username — Artifactory username or API key
- Password — Artifactory password or API key secret (encrypted)
- Domain — Artifactory domain (e.g.,
artifactory.mycompany.com) - Repository — Artifactory repository name (e.g.,
docker-prod)
Quay.io
- Token — Quay.io API token with repository read permissions (encrypted)
- Namespace — Quay namespace to scan (e.g.,
mycompany)
Step 4: Link Repositories (Optional)
Select SCM repositories to link with this registry connection. Linking enables:
- Automatic linking of discovered images to their source Dockerfiles
- Remediation PRs that update the Dockerfile when a base image has vulnerabilities
You can link repositories now or later.
Step 5: Save
Click Save Connection. Plexicus will validate credentials and test connectivity. If successful, the connection status will show Connected.
Discovering Images
Once a connection is created, you can discover images:
- Find your registry connection in the list
- Click Discover Images
- Plexicus lists all accessible repositories and their tags
- Records the discovery timestamp for tracking
- Wait for discovery to complete (typically 1–5 minutes for large registries)
- Click View Images to see the discovered image table
Image Table Columns
- Repository — Full image repository path (e.g.,
mycompany/api) - Tags — Image tags (e.g.,
latest,v1.2.3). Shows first 3, with "+N" for remaining - Digest — Image SHA-256 digest (first 12 chars shown)
- Lifecycle — Latest (top 1 tag by date), Outdated (older tags), Pending (not yet classified)
- SCM Link — Path to the Dockerfile in your repository (e.g.,
services/api/Dockerfile). If missing, click Link Dockerfile - Scan Status — Pending (not yet scanned), Scanning (in progress), Completed (done), Failed (error occurred)
Scanning Images
To scan a specific registry connection's images for vulnerabilities:
- Find your registry connection in the list
- Click Scan Images
- Plexicus queues a scan job using Trivy (container vulnerability scanner)
- Scan status in the image table updates to Scanning
- Monitor progress by clicking View Images and checking the Scan Status column
Scan results appear in the Findings page, filtered by the image digest.
Scanning uses the same vulnerability database as the platform's SBOM scanner. Severity levels and filtering match your configured settings.
Linking Dockerfiles to Images
To enable automatic remediation of base image vulnerabilities:
- In the image table, find an image with SCM Link = "Unlinked"
- Click Link Dockerfile
- Select the SCM repository containing the Dockerfile
- Enter the Dockerfile path relative to the repository root (e.g.,
Dockerfileorservices/api/Dockerfile) - Click Link
Once linked, when a base image vulnerability is found:
- Plexicus can suggest Dockerfile updates (e.g.,
FROM ubuntu:20.04→FROM ubuntu:22.04) - Remediation PRs will update the Dockerfile and trigger a new build
Connection Status
Each registry connection shows a status badge:
| Status | Meaning | Action |
|---|---|---|
| Connected | ✅ Credentials valid and connectivity confirmed | Ready to discover/scan |
| Error | ❌ Authentication failed or network unreachable | Click Edit to update credentials |
| Syncing | ⏳ Discovery or scan in progress | Wait for completion |
| Unknown | ❓ Status not yet determined | Click Discover to test |
Troubleshooting
"Failed to connect" error
Cause: Invalid credentials or network access issue.
Resolution:
- Verify credentials in the registry provider's console
- Ensure your registry allows connections from Plexicus IPs
- For self-hosted registries, verify network/firewall rules
- Click Edit, update credentials, and Save
Images not discovered
Cause:
- Credentials lack repository listing permissions
- Registry has no images yet
Resolution:
- Verify the service account/user has
listanddescribepermissions - Check registry platform documentation for required IAM roles
- Push a test image and run discovery again
Scan fails for specific images
Cause: Image is not publicly accessible or uses unsupported formats.
Resolution:
- Verify the image can be pulled from the registry
- Check the image manifest format (OCI vs Docker)
- Contact support with the image digest and error message
Security Considerations
- Credentials encryption: All registry credentials are encrypted at rest using AES-256 and in transit over TLS 1.2+
- Scope limitation: Use minimal-privilege service accounts (read repositories only; no delete/write)
- Audit logging: All registry discovery and scan actions are logged in your Audit Log
- Data retention: Discovered image metadata is retained per your plan's data retention policy
Related Pages
- Scanner Tools Catalog — Learn about Trivy and other scanning tools
- Finding Triage — View scan results and prioritize remediations
- Domain Verification — Required for certificate-based registry auth