Update Registry Settings

PUT /api/v33.03/settings/registry

x-prisma-cloud-target-env: {"permission":"policyContainers"}

Updates the registries to scan. The list of registries to scan is updated in a single shot.

To invoke this endpoint in the Console UI:

Navigate to Defend > Vulnerabilities > Images > Registry settings.
Under the Registries table, add a registry item using + Add registry
Click the Save button.

Note: From 22.11 (Lagrange) release or later, you can add a maximum of 19,999 registry entries in Defend > Vulnerabilities > Images > Registry settings.

The API response returns an HTTP 400 error, if the number of registry specifications exceeds the maximum allowable limit of 19,999 registry entries.

General Set up and Scan Process

This endpoint works hand-in-hand with the /policies endpoints.

To set up a registry for scanning:

Add your registry account information using this endpoint.

For example, specify the location and credentials of an ECR registry in your AWS account.
Prisma Cloud auto-discovers the images in the registries specified with this endpoint.
The list of auto-discovered images is passed to the scanner for evaluation.

The scanner uses the corresponding /policies/vulnerability/images and /policies/compliance/images endpoints to assess each image.

cURL Request

Each registry to scan is specified as an item in the specifications array.

Note: Submitting a PUT request with the specifications array will first erase all the existing Registry entries, and then insert the new specifications array from the PUT request.

An empty body will also erase all the existing Registry entries. For more information, see Remove a Registry.

We recommend that you send a GET scan settings request via Get Registry Settings and save the JSON response before sending a PUT API request to update the Registry Settings.

The critical fields for this endpoint are:

registry - String specifying the registry URL.
credentialID - String specifying the registry credential.
version - String specifying the type of registry to scan and may be one of the following strings:

Version	Description
`aws`	Amazon EC2 Container Registry
`azure`	Azure Container Registry
`2`	Docker Registry v2
`dtr`	Docker Trusted Registry
`gcr`	Google Container Registry
`jfrog`	JFrog Artifactory
`sonatype`	Sonatype Nexus
`coreos`	CoreOS Quay
`redhat`	Red Hat OpenShift
`bluemix`	IBM Cloud Container Registry

The remaining fields in the specifications object (e.g., repository, exclusions, etc.) are optional. They let you refine the scope of what Prisma Cloud auto-discovers.

Note: An empty string in registry implicitly refers to Docker Hub. In repository, use the library/ namespace to specify a Docker official image. To see the current list of Docker official images, see here.

Set up a Private Registry for Scanning

Most registries you'll configure for scanning will be private. Prisma Cloud needs credentials to access private registries. To set this up:

Create the credentials with the /credentials endpoint.
Retrieve the credential ID from the /credentials endpoint (_id).
Create the registry setting with the recommended minimum required fields (version, registry, and credentialID).

Example cURL Request

The following cURL command overwrites the current list of registries to scan with two new registries:

The official Ubuntu 18.04 image in Docker Hub
All repositories in a private AWS ECR registry

$ curl 'https://<CONSOLE>/api/v<VERSION>/settings/registry' \
  -k \
  -X PUT \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -d \
  '{
    "specifications": [
      {
        "version": "2",
        "registry": "",
        "repository": "library/ubuntu",
        "tag": "18.04",
        "os": "linux",
        "cap": 5,
        "credentialID": "<CREDENTIAL_ID1>",
        "scanners": 2,
        "collections": ["All"]
      },
      {
        "version": "aws",
        "registry": "<ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com",
        "os": "linux",
        "credentialID": "<CREDENTIAL_ID2>",
        "scanners": 2,
        "cap": 5,
        "collections": ["All"]
      }
    ]
  }'

Note: No response will be returned upon successful execution.

Remove a Registry

To remove a registry from the list:

Retrieve the current list using the GET method.
Remove the entry from the specifications JSON array in the response.
Use the PUT method to submit the updated JSON object.

To delete all entries, submit an empty specifications array. For example:

curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X PUT \
  -d '{"specifications":[]}' \
  https://<CONSOLE>/api/v<VERSION>/settings/registry

Request

Query Parameters

scanLater boolean

ScanLater indicates to save the setting without starting a scan.

application/json

Body

harborScannerUrlSuffixstring

Relative path to the Harbor scanner endpoint.

specifications object[]

Information for connecting to the registries to be scanned.

Array [

azureCloudMetadata object

caCertstring

CACert is the Certificate Authority that signed the registry certificate.

capinteger

Specifies the maximum number of images from each repo to fetch and scan, sorted by most recently modified.

collectionsstring (string)[]

Specifies the set of Defenders in-scope for working on a scan job.

credential object

Credential specifies the authentication data of an external provider

_idstring

Specifies the unique ID for credential.

accountGUIDstring

Specifies the unique ID for an IBM Cloud account.

accountIDstring

Specifies the account identifier. Example: a username, access key, account GUID, and so on.

accountNamestring

Specifies the name of the cloud account.

apiToken object

azureSPInfo object

caCertstring

Specifies the CA certificate for a certificate-based authentication.

cloudProviderAccountIDstring

Specifies the cloud provider account ID.

createddate-time

Specifies the time when the credential was created (or, when the account ID was changed for AWS).

descriptionstring

Specifies the description for a credential.

externalboolean

Indicates whether the credential was onboarded from the Prisma platform.

globalboolean

Indicates whether the credential scope is global. Available values are: true: Global false: Not Global Note: For GCP, the credential scope is the organization.

lastModifieddate-time

Specifies the time when the credential was last modified.

ociCred object

ownerstring

Specifies the user who created or modified the credential.

prismaLastModifiedint64

Specifies the time when the account was last modified by Prisma Cloud Compute.

roleArnstring

Specifies the Amazon Resource Name (ARN) of the role to be assumed.

secret object

skipVerifyboolean

Indicates whether to skip the certificate verification in TLS communication.

stsEndpointsstring (string)[]

Specifies a list of specific endpoints for use in STS sessions in various regions.

tokens object

typecred.Type (string)

Type specifies the credential type

Possible values: [aws,azure,gcp,ibmCloud,oci,apiToken,basic,dtr,kubeconfig,certificate,gitlabToken]

urlstring

Specifies the base server URL.

useAWSRoleboolean

Indicates whether to authenticate using the IAM Role attached to the instance. Available values are: true: Authenticate with the attached credentials false: Don’t authenticate with the attached credentials.

useSTSRegionalEndpointboolean

Indicates whether to use the regional STS endpoint for an STS session. Available values are: true: Use the regional STS false: Don’t use the regional STS.

credentialIDstring

ID of the credentials in the credentials store to use for authenticating with the registry.

excludedRepositoriesstring (string)[]

Repositories to exclude from scanning.

excludedTagsstring (string)[]

Tags to exclude from scanning.

gitlabRegistrySpec object

harborDeploymentSecurityboolean

Indicates whether the Prisma Cloud plugin uses temporary tokens provided by Harbor to scan images in projects where Harbor's deployment security setting is enabled.

idstring

ID is a unique identifier of the registry spec.

jfrogRepoTypesshared.JFrogRepoType (string)[]

JFrog Artifactory repository types to scan.

Possible values: [local,remote,virtual]

lastScanStatusstring

LastScanStatus is the last scan status. we keep both LastScanStatus and ScanStatus in order to not lose the latest scan status when a scan starts.

lastScanTimedate-time

LastScanTime specifies the last time a scan was completed.

namespacestring

IBM Bluemix namespace https://console.bluemix.net/docs/services/Registry/registry_overview.html#registry_planning.

osshared.RegistryOSType (string)

RegistryOSType specifies the registry images base OS type

Possible values: [linux,linuxARM64,windows]

registrystring

Registry address (e.g., https://gcr.io).

repositorystring

Repositories to scan.

scanErrorstring

ScanError is the error received while scanning the specification.

scanStatusstring

ScanStatus is the scan status that's updated dynamically during the scan, when the scan finishes - its value is passed to the LastScanStatus field in the DB.

scanTimedate-time

ScanTime specifies the time a scan was started.

scannedImagesSuccessTotalinteger

ScannedImagesSuccessTotal is the total number of registry images that were scanned successfully on the last registry specification scan.

scannersinteger

Number of Defenders that can be utilized for each scan job.

tagstring

Tags to scan.

versionstring

Registry type. Determines the protocol Prisma Cloud uses to communicate with the registry.

versionPatternstring

Pattern heuristic for quickly filtering images by tags without having to query all images for modification dates.

]

webhookUrlSuffixstring

Relative path to the webhook HTTP endpoint.

Responses

200
default

CURL

curl -L -X PUT 'https://pan.dev/api/v33.03/settings/registry' \
-H 'Content-Type: application/json'

Parameters

scanLater — query

Body

{
  "harborScannerUrlSuffix": "string",
  "specifications": [
    {
      "azureCloudMetadata": {
        "accountID": "string",
        "awsExecutionEnv": "string",
        "image": "string",
        "labels": [
          {
            "key": "string",
            "sourceName": "string",
            "sourceType": [
              "namespace",
              "deployment",
              "aws",
              "azure",
              "gcp",
              "oci"
            ],
            "timestamp": "2024-07-29T15:51:28.071Z",
            "value": "string"
          }
        ],
        "name": "string",
        "provider": [
          "aws",
          "azure",
          "gcp",
          "alibaba",
          "oci",
          "others"
        ],
        "region": "string",
        "resourceID": "string",
        "resourceURL": "string",
        "type": "string",
        "vmID": "string",
        "vmImageID": "string"
      },
      "caCert": "string",
      "cap": 0,
      "collections": [
        "string"
      ],
      "credential": {
        "_id": "string",
        "accountGUID": "string",
        "accountID": "string",
        "accountName": "string",
        "apiToken": {
          "encrypted": "string",
          "plain": "string"
        },
        "azureSPInfo": {
          "clientId": "string",
          "miType": [
            "user-assigned",
            "system-assigned"
          ],
          "subscriptionId": "string",
          "tenantId": "string"
        },
        "caCert": "string",
        "cloudProviderAccountID": "string",
        "created": "2024-07-29T15:51:28.071Z",
        "description": "string",
        "external": true,
        "global": true,
        "lastModified": "2024-07-29T15:51:28.071Z",
        "ociCred": {
          "fingerprint": "string",
          "tenancyId": "string"
        },
        "owner": "string",
        "prismaLastModified": 0,
        "roleArn": "string",
        "secret": {
          "encrypted": "string",
          "plain": "string"
        },
        "skipVerify": true,
        "stsEndpoints": [
          "string"
        ],
        "tokens": {
          "awsAccessKeyId": "string",
          "awsSecretAccessKey": {
            "encrypted": "string",
            "plain": "string"
          },
          "duration": 0,
          "expirationTime": "2024-07-29T15:51:28.071Z",
          "token": {
            "encrypted": "string",
            "plain": "string"
          }
        },
        "type": [
          "aws",
          "azure",
          "gcp",
          "ibmCloud",
          "oci",
          "apiToken",
          "basic",
          "dtr",
          "kubeconfig",
          "certificate",
          "gitlabToken"
        ],
        "url": "string",
        "useAWSRole": true,
        "useSTSRegionalEndpoint": true
      },
      "credentialID": "string",
      "excludedRepositories": [
        "string"
      ],
      "excludedTags": [
        "string"
      ],
      "gitlabRegistrySpec": {
        "apiDomainName": "string",
        "excludedGroupIDs": [
          "string"
        ],
        "groupIDs": [
          "string"
        ],
        "projectIDs": [
          "string"
        ],
        "userID": "string"
      },
      "harborDeploymentSecurity": true,
      "id": "string",
      "jfrogRepoTypes": [
        "local",
        "remote",
        "virtual"
      ],
      "lastScanStatus": "string",
      "lastScanTime": "2024-07-29T15:51:28.071Z",
      "namespace": "string",
      "os": [
        "linux",
        "linuxARM64",
        "windows"
      ],
      "registry": "string",
      "repository": "string",
      "scanError": "string",
      "scanStatus": "string",
      "scanTime": "2024-07-29T15:51:28.071Z",
      "scannedImagesSuccessTotal": 0,
      "scanners": 0,
      "tag": "string",
      "version": "string",
      "versionPattern": "string"
    }
  ],
  "webhookUrlSuffix": "string"
}

Update Registry Settings

/api/v33.03/settings/registry

General Set up and Scan Process​

cURL Request​

Set up a Private Registry for Scanning​

Example cURL Request​

Remove a Registry​

Request​

Query Parameters

Body

Responses​

General Set up and Scan Process

cURL Request

Set up a Private Registry for Scanning

Example cURL Request

Remove a Registry

Request

Responses