Saltar al contenido principal

Container Registry Integration

Plexicus can discover and scan container images stored in your private registry. This guide covers supported registries, credential setup, and scanning workflows.

nota

Container registry scanning is available on Scale plan and above. Check your plan at Settings → Account → Subscription Tier.

Supported Registries

Plexicus integrates with the following container registries:

RegistryPlatformsSupported
AWS ECR (Elastic Container Registry)AWS public, AWS GovCloud✅ Yes
Docker HubPublic, Private✅ Yes
GitHub GHCR (GitHub Container Registry)GitHub (public/private)✅ Yes
Google Artifact Registry (GAR)Google Cloud, multi-region✅ Yes
Google Container Registry (GCR)Google Cloud (legacy)✅ Yes
Azure ACR (Azure Container Registry)Azure, US Gov Cloud✅ Yes
GitLab RegistryGitLab.com, self-hosted✅ Yes
JFrog ArtifactoryOn-prem, cloud, multi-region✅ Yes
Quay.ioQuay.io, private Quay deployments✅ Yes

Adding a Registry Connection

Step 1: Navigate to Registry Connections

  1. Go to SettingsRegistry Connections (or app.plexicus.ai/settings#registry-connections)
  2. Click Add Connection

Step 2: Select Platform

Choose your registry platform from the dropdown. The UI will adapt credential fields based on your selection.

Step 3: Enter Credentials

Provide the authentication details for your registry. Sensitive fields (passwords, tokens, secrets) are encrypted in transit and at rest.

AWS ECR

  • Access Key ID — AWS IAM access key
  • Secret Access Key — AWS IAM secret key (encrypted)
  • Region — AWS region (e.g., us-east-1)
  • Account ID — AWS account number

Permissions Required:

ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:GetDownloadUrlForLayer (for image scanning)
ecr:BatchGetImage

Docker Hub

  • Username — Docker Hub username or organization name
  • Password — Docker Hub password or PAT (encrypted)
  • Namespace — Optional: restrict to a specific namespace

GitHub GHCR

  • Username — GitHub username
  • Token — GitHub personal access token (PAT) with read:packages scope (encrypted)
  • User / Organization — The GitHub org/user to scan images from

Google Artifact Registry (GAR) & GCR

  • Project ID — Google Cloud project ID
  • Region — For GAR only: artifact registry region (e.g., us-central1)
  • Service Account JSON — Optional: paste the full service account JSON for advanced auth

Permissions Required (via IAM role):

  • artifactregistry.repositories.get
  • artifactregistry.files.list
  • storage.buckets.get (for GCR)

Azure ACR

  • Registry Name — Your Azure registry name (e.g., myregistry from myregistry.azurecr.io)
  • Client ID — Azure service principal client ID
  • Client Secret — Azure service principal secret (encrypted)
  • Tenant ID — Azure tenant ID

GitLab Registry

  • Username — GitLab username or deploy token username
  • Token — GitLab deploy token or personal access token (PAT) with read_registry scope (encrypted)
  • Namespace — Optional: restrict to a specific namespace

JFrog Artifactory

  • Username — Artifactory username or API key
  • Password — Artifactory password or API key secret (encrypted)
  • Domain — Artifactory domain (e.g., artifactory.mycompany.com)
  • Repository — Artifactory repository name (e.g., docker-prod)

Quay.io

  • Token — Quay.io API token with repository read permissions (encrypted)
  • Namespace — Quay namespace to scan (e.g., mycompany)

Select SCM repositories to link with this registry connection. Linking enables:

  • Automatic linking of discovered images to their source Dockerfiles
  • Remediation PRs that update the Dockerfile when a base image has vulnerabilities

You can link repositories now or later.

Step 5: Save

Click Save Connection. Plexicus will validate credentials and test connectivity. If successful, the connection status will show Connected.

Discovering Images

Once a connection is created, you can discover images:

  1. Find your registry connection in the list
  2. Click Discover Images
    • Plexicus lists all accessible repositories and their tags
    • Records the discovery timestamp for tracking
  3. Wait for discovery to complete (typically 1–5 minutes for large registries)
  4. Click View Images to see the discovered image table

Image Table Columns

  • Repository — Full image repository path (e.g., mycompany/api)
  • Tags — Image tags (e.g., latest, v1.2.3). Shows first 3, with "+N" for remaining
  • Digest — Image SHA-256 digest (first 12 chars shown)
  • LifecycleLatest (top 1 tag by date), Outdated (older tags), Pending (not yet classified)
  • SCM Link — Path to the Dockerfile in your repository (e.g., services/api/Dockerfile). If missing, click Link Dockerfile
  • Scan StatusPending (not yet scanned), Scanning (in progress), Completed (done), Failed (error occurred)

Scanning Images

To scan a specific registry connection's images for vulnerabilities:

  1. Find your registry connection in the list
  2. Click Scan Images
    • Plexicus queues a scan job using Trivy (container vulnerability scanner)
    • Scan status in the image table updates to Scanning
  3. Monitor progress by clicking View Images and checking the Scan Status column

Scan results appear in the Findings page, filtered by the image digest.

nota

Scanning uses the same vulnerability database as the platform's SBOM scanner. Severity levels and filtering match your configured settings.

Linking Dockerfiles to Images

To enable automatic remediation of base image vulnerabilities:

  1. In the image table, find an image with SCM Link = "Unlinked"
  2. Click Link Dockerfile
  3. Select the SCM repository containing the Dockerfile
  4. Enter the Dockerfile path relative to the repository root (e.g., Dockerfile or services/api/Dockerfile)
  5. Click Link

Once linked, when a base image vulnerability is found:

  • Plexicus can suggest Dockerfile updates (e.g., FROM ubuntu:20.04FROM ubuntu:22.04)
  • Remediation PRs will update the Dockerfile and trigger a new build

Connection Status

Each registry connection shows a status badge:

StatusMeaningAction
Connected✅ Credentials valid and connectivity confirmedReady to discover/scan
Error❌ Authentication failed or network unreachableClick Edit to update credentials
Syncing⏳ Discovery or scan in progressWait for completion
Unknown❓ Status not yet determinedClick Discover to test

Troubleshooting

"Failed to connect" error

Cause: Invalid credentials or network access issue.

Resolution:

  1. Verify credentials in the registry provider's console
  2. Ensure your registry allows connections from Plexicus IPs
  3. For self-hosted registries, verify network/firewall rules
  4. Click Edit, update credentials, and Save

Images not discovered

Cause:

  • Credentials lack repository listing permissions
  • Registry has no images yet

Resolution:

  1. Verify the service account/user has list and describe permissions
  2. Check registry platform documentation for required IAM roles
  3. Push a test image and run discovery again

Scan fails for specific images

Cause: Image is not publicly accessible or uses unsupported formats.

Resolution:

  1. Verify the image can be pulled from the registry
  2. Check the image manifest format (OCI vs Docker)
  3. Contact support with the image digest and error message

Security Considerations

  • Credentials encryption: All registry credentials are encrypted at rest using AES-256 and in transit over TLS 1.2+
  • Scope limitation: Use minimal-privilege service accounts (read repositories only; no delete/write)
  • Audit logging: All registry discovery and scan actions are logged in your Audit Log
  • Data retention: Discovered image metadata is retained per your plan's data retention policy