Skip to main content

Add Registry Settings

POST 

/api/v33.01/settings/registry

x-prisma-cloud-target-env: {"permission":"policyContainers"}

Specifies a single registry to scan.

Each registry to scan is specified as an item in the specifications array. The POST method appends an entry to the specifications array. In contrast, the PUT method adds all registries in a single shot, completely overwriting any previous configuration by replacing the contents of the specifications array. For more information about the specifications array, see the GET endpoint.

The version string specifies the type of registry to scan. It can be one of the following strings:

  • Amazon EC2 Container Registry: aws
  • Azure Container Registry: azure
  • CoreOS Quay: coreos
  • Docker Registry v2: 2
  • Docker Trusted Registry: dtr
  • Google Container Registry: gcr
  • GitLab Container Registry: gitlab
  • Harbor Registry: harbor
  • IBM Cloud Container Registry: bluemix
  • JFrog Artifactory: jfrog
  • Red Hat OpenShift: redhat
  • Sonatype Nexus: sonatype

Note: From Lagrange 22.11 release or later, you can add a maximum of 19,999 registry entries in Defend > Vulnerabilities > Images > Registry settings.

The API response returns an HTTP 400 error if the number of registry specifications exceeds the maximum allowable limit of 19,999 registry entries.

cURL Request

Refer to the following example cURL command that configures Prisma Cloud Compute to scan the Ubuntu 16.04 repository on Docker Hub:

curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '
{
"version": "2",
"registry": "",
"repository": "library/ubuntu",
"tag": "16.04",
"os": "linux",
"cap": 5,
"hostname": "",
"scanners": 2,
"collections": ["All"]
} ' \
'https://<CONSOLE>/api/v<VERSION>/settings/registry'

Starting with 30.03, you can directly add a GitLab Container Registry. To add settings for a GitLab Container Registry, you must specify the following parameters:

  • version: Specify the value gitlab for GitLab Container Registry.
  • registry: Specify the GitLab registry URL address. For example, for native registries, you can specify the address as "https://registry.gitlab.com"
  • credentialID: Specify the GitLab credential that you added in the credential store in Prisma Cloud Compute. For example, an API token that has at least the read_api scope.
  • gitlabRegistrySpec: Specify at least one of the following fields:
    • userID: Specify your GitLab user ID to add all registries associated with it.
    • projectIDs: Specify the project IDs to add all registries associated with a GitLab project.
    • groupIDs: Specify the group ID to add all registries associated with a GitLab group.
    • excludedGroupIDs: Specify the top-level group IDs that you don't want to add.

Refer to the following example cURL command:

curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '
{
"version":"gitlab",
"registry":"https://registry.gitlab.com",
"namespace":"",
"repository":"",
"tag":"",
"credentialID":"<Credential ID from Credential Store>",
"os":"linux",
"harborDeploymentSecurity":false,
"collections":["All"],
"cap":5,
"scanners":2,
"versionPattern":"",
"gitlabRegistrySpec":{"userID":"14631394"}
} ' \
'https://<CONSOLE>/api/v<VERSION>/settings/registry'

Request

Query Parameters

    scanLater boolean

    ScanLater indicates to save the setting without starting a scan.

Body

    azureCloudMetadata object

    CloudMetadata is the metadata for a cloud provider managed asset (e.g., as part of AWS/GCP/Azure/OCI)

    accountID string

    Cloud account ID.

    awsExecutionEnv string

    AWS execution environment (e.g. EC2/Fargate).

    image string

    The name of the image the cloud managed host or container is based on.

    labels object[]

    Cloud provider metadata labels.

  • Array [
  • key string

    Label key.

    sourceName string

    Source name (e.g., for a namespace, the source name can be 'twistlock').

    sourceType common.ExternalLabelSourceType (string)

    Possible values: [namespace,deployment,aws,azure,gcp,oci]

    ExternalLabelSourceType indicates the source of the labels

    timestamp date-time

    Time when the label was fetched.

    value string

    Value of the label.

  • ]
  • name string

    Resource name.

    provider common.CloudProvider (string)

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

    region string

    Resource's region.

    resourceID string

    Unique ID of the resource.

    resourceURL string

    Server-defined URL for the resource.

    type string

    Instance type.

    vmID string

    Azure unique vm ID.

    vmImageID string

    VMImageID holds the VM instance's image ID.

    caCert string

    CACert is the Certificate Authority that signed the registry certificate.

    cap integer

    Specifies the maximum number of images from each repo to fetch and scan, sorted by most recently modified.

    collections string (string)[]

    Specifies the set of Defenders in-scope for working on a scan job.

    credential object

    Credential specifies the authentication data of an external provider

    _id string

    Specifies the unique ID for credential.

    accountGUID string

    Specifies the unique ID for an IBM Cloud account.

    accountID string

    Specifies the account identifier. Example: a username, access key, account GUID, and so on.

    accountName string

    Specifies the name of the cloud account.

    apiToken object

    Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

    encrypted string

    Specifies an encrypted value of the secret.

    plain string

    Specifies the plain text value of the secret.

    azureSPInfo object

    AzureSPInfo contains the Azure credentials needed for certificate based authentications

    clientId string

    ClientID is the client identifier.

    miType cred.AzureMIType (string)

    Possible values: [user-assigned,system-assigned]

    subscriptionId string

    SubscriptionID is a GUID that uniquely identifies the subscription to use Azure services.

    tenantId string

    TenantID is the ID of the AAD directory in which the application was created.

    caCert string

    Specifies the CA certificate for a certificate-based authentication.

    cloudProviderAccountID string

    Specifies the cloud provider account ID.

    created date-time

    Specifies the time when the credential was created (or, when the account ID was changed for AWS).

    description string

    Specifies the description for a credential.

    external boolean

    Indicates whether the credential was onboarded from the Prisma platform.

    global boolean

    Indicates whether the credential scope is global. Available values are: true: Global false: Not Global Note: For GCP, the credential scope is the organization.

    lastModified date-time

    Specifies the time when the credential was last modified.

    ociCred object

    OCICred are additional parameters required for OCI credentials

    fingerprint string

    Fingerprint is the public key signature.

    tenancyId string

    TenancyID is the OCID of the tenancy.

    owner string

    Specifies the user who created or modified the credential.

    prismaLastModified int64

    Specifies the time when the account was last modified by Prisma Cloud Compute.

    roleArn string

    Specifies the Amazon Resource Name (ARN) of the role to be assumed.

    secret object

    Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

    encrypted string

    Specifies an encrypted value of the secret.

    plain string

    Specifies the plain text value of the secret.

    skipVerify boolean

    Indicates whether to skip the certificate verification in TLS communication.

    stsEndpoints string (string)[]

    Specifies a list of specific endpoints for use in STS sessions in various regions.

    tokens object
    awsAccessKeyId string

    Specifies a temporary access key.

    awsSecretAccessKey object

    Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

    encrypted string

    Specifies an encrypted value of the secret.

    plain string

    Specifies the plain text value of the secret.

    duration int64

    Specifies a duration for the token.

    expirationTime date-time

    Specifies an expiration time for the token.

    token object

    Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

    encrypted string

    Specifies an encrypted value of the secret.

    plain string

    Specifies the plain text value of the secret.

    type cred.Type (string)

    Possible values: [aws,azure,gcp,ibmCloud,oci,apiToken,basic,dtr,kubeconfig,certificate,gitlabToken]

    Type specifies the credential type

    url string

    Specifies the base server URL.

    useAWSRole boolean

    Indicates whether to authenticate using the IAM Role attached to the instance. Available values are: true: Authenticate with the attached credentials false: Don’t authenticate with the attached credentials.

    useSTSRegionalEndpoint boolean

    Indicates whether to use the regional STS endpoint for an STS session. Available values are: true: Use the regional STS false: Don’t use the regional STS.

    credentialID string

    ID of the credentials in the credentials store to use for authenticating with the registry.

    excludedRepositories string (string)[]

    Repositories to exclude from scanning.

    excludedTags string (string)[]

    Tags to exclude from scanning.

    gitlabRegistrySpec object

    GitlabRegistrySpec represents a specification for registry scanning in GitLab

    apiDomainName string

    .

    excludedGroupIDs string (string)[]

    .

    groupIDs string (string)[]

    .

    projectIDs string (string)[]

    .

    userID string

    .

    harborDeploymentSecurity boolean

    Indicates whether the Prisma Cloud plugin uses temporary tokens provided by Harbor to scan images in projects where Harbor's deployment security setting is enabled.

    id string

    ID is a unique identifier of the registry spec.

    jfrogRepoTypes shared.JFrogRepoType (string)[]

    Possible values: [local,remote,virtual]

    JFrog Artifactory repository types to scan.

    lastScanStatus string

    LastScanStatus is the last scan status. we keep both LastScanStatus and ScanStatus in order to not lose the latest scan status when a scan starts.

    lastScanTime date-time

    LastScanTime specifies the last time a scan was completed.

    namespace string

    IBM Bluemix namespace https://console.bluemix.net/docs/services/Registry/registry_overview.html#registry_planning.

    os shared.RegistryOSType (string)

    Possible values: [linux,linuxARM64,windows]

    RegistryOSType specifies the registry images base OS type

    registry string

    Registry address (e.g., https://gcr.io).

    repository string

    Repositories to scan.

    scanError string

    ScanError is the error received while scanning the specification.

    scanStatus string

    ScanStatus is the scan status that's updated dynamically during the scan, when the scan finishes - its value is passed to the LastScanStatus field in the DB.

    scanTime date-time

    ScanTime specifies the time a scan was started.

    scannedImagesSuccessTotal integer

    ScannedImagesSuccessTotal is the total number of registry images that were scanned successfully on the last registry specification scan.

    scanners integer

    Number of Defenders that can be utilized for each scan job.

    tag string

    Tags to scan.

    version string

    Registry type. Determines the protocol Prisma Cloud uses to communicate with the registry.

    versionPattern string

    Pattern heuristic for quickly filtering images by tags without having to query all images for modification dates.

Responses

OK

Loading...